Experts have warned that ageing IT equipment and infrastructure is leaving the NHS dangerously exposed to more damaging cyber breaches and incidents in the same vein as the ransomware attack that hit pathology services provider Synnovis in June, causing extensive disruption to frontline care in London.
Speaking to the BBC, Ciaran Martin, the founding chief executive of the UK’s National Cyber Security Centre (NCSC), said he was “horrified, but not completely surprised” by the 4 June attack.
The incident led to the cancellation of thousands of medical procedures and ultimately saw the leak of 400GB of sensitive data by the Qilin gang, after Synnovis refused to pay a ransom demand.
He said it was “quite clear” the NHS was running a lot of out-of-date IT, and also that the NHS needed to do better at identifying and addressing vulnerable points that might afford a cyber criminal access to its systems, and do more to address basic cyber security best practice.
Martin’s concerns are backed up by doctors, with a December 2022 British Medical Association (BMA) report revealing that clinicians were wasting over 13 million hours every year thanks to delays arising from “inadequate or malfunctioning” systems and equipment. At the time, this was the equivalent of 8,000 full-time doctors, or £1bn.
A total of 80% of doctors who responded to the survey on which the BMA based its report said that improving IT infrastructure would have a positive impact in clearing the enormous backlogs faced by the NHS.
Doctors who spoke to the BBC Investigations team reported using 10-year-old PCs running Windows 7, and lamented 14 years of steady funding cuts from the previous government.
Cyber basics missed
Although NHS England has said it has spent almost £340m on improving cyber security across the health service since 2017, Martin’s warnings come after Computer Weekly exposed a lack of attention paid to basic issues such as multi-factor authentication (MFA) in parts of the health service.
Last month, whistleblowers highlighted how NHS England’s Outcomes and Registries Programme (ORP), which aims to collect data from various clinical registries in the service of better patient care, was potentially exposing highly sensitive data to interference and theft by leaving the programme’s access portal exposed to the public internet, without multi-factor authentication in place.
NHS England told Computer Weekly that ORP had been tested to the relevant credentials and the supplier enlisted to run the programme complied with current standards. It said that when the contract was first awarded, MFA – considered a fundamental cornerstone of cyber defences – was not a requirement for externally facing, internet-based systems, but that it was now being put in place.
“No industry is untouchable when it comes to cyber crime, and sadly the NHS is a prime target given its ageing IT infrastructure and the amount of confidential data it stores,” said Gregg Hardie, director of public sector at SailPoint. “Its complex webs of access needs make it easier for malicious actors to hack and exploit confidential patient data.
“The NHS and all healthcare companies must ensure they implement multiple security controls to protect against today’s fast-evolving cyber landscape,” he said. “But to reduce the risk of a breach occurring in the first place, technology like identity security is crucial in order to manage who has access to what and immediately flag any suspicious behaviour within an organisation.”
