How to keep the NHS cyber secure

Coronavirus must be the health service’s top priority, but its response should not leave it open to cyber attacks. 

Sign Up

Get the New Statesman's Morning Call email.

The coronavirus outbreak has forced many of us to adopt new ways of communicating, both at work and in our personal lives. Technology can help us with this. But, as many people have found out the hard way, the platforms that allow us to connect with one another are not always secure. Unwanted participants can join and record conference calls. Data could be stored inappropriately. And cyber criminals are always looking for new vulnerabilities they can exploit to steal or extort.

The NHS faces unique cyber security challenges at the best of times. There are more than 200 trusts in England alone, each with computer networks that need to be protected, while NHS England’s core infrastructure connects 28,000 healthcare systems across 21,000 organisations. Coronavirus has meant many frontline staff are currently working in new roles in hospitals, using unfamiliar systems. Elsewhere, GPs are being asked to provide care remotely wherever possible, so that patients don’t need to visit surgeries.

To provide the best possible care, health professionals need to access and share sensitive data about patients – but they also need to ensure that this data is protected appropriately. There are new tools available that do this; NHS Digital has recently confirmed that the Hospify app meets its standards. This makes it the first messaging app certified for use by both patients and professionals. Staff previously communicated via personal, insecure apps.

The WannaCry cyber attack in 2017 forced the NHS to cancel more than 19,000 appointments and divert ambulances away from five hospitals. Nevertheless, when the Public Accounts Committee reviewed the response to the attack, we concluded that the NHS had got off lightly. The attack had been relatively unsophisticated, and was not specifically targeted at the NHS. It also took place on a Friday, which meant that services that don’t operate at the weekend were less affected than they could have been. And a cyber security researcher found a “kill-switch” to stop the virus spreading later that same day.

The potential harm that a comparable attack could cause right now does not bear thinking about. We told the government then that it needed to urgently put in place plans to implement the lessons learned from WannaCry, since cyber security is essential for patient safety. While some such changes have been made, work on others is still ongoing. Responding to Covid-19 must be the NHS’s top priority, but it is important that cyber security is not overlooked, and that the response to coronavirus does not leave the health service open to cyber attacks.

There are other lessons learned from WannaCry that are particularly relevant across the public and private sectors at the moment. For instance, NHS trusts could have protected themselves against the attack if they had applied the latest security patches and maintained strong firewalls. Many employers are currently rolling out new remote working tools to allow their staff to connect to corporate networks from home, or are making much greater use of existing tools. Some versions of these tools are known to have vulnerabilities. If not fixed, these can leave an organisation open to attack, just as a failure to patch systems left some NHS trusts vulnerable to WannaCry.

Employers need to make sure that they do not overlook security in their haste to get staff back online. They also need to recognise that products originally designed for personal use may not offer the security protections that corporate users require. In many cases, products that were designed to be secure from the outset will be more appropriate.

The British economy is highly dependent on the internet. However the Public Accounts Committee last year warned that the government has not done enough to enhance cyber security across the economy. We have also been concerned for some time that British citizens do not have the cyber security awareness they need. In 2017, we reported that British workers are less confident in their ability to protect data and devices than their counterparts in Brazil, South Africa and China.

More recently, a government survey found that almost a third of people don’t feel they know how to protect themselves online. It is essential that everyone is able to take care of themselves online. Cyber criminals will exploit any gaps they can identify. They have been quick to take advantage of the coronavirus epidemic, adapting existing scams designed to steal money and collect sensitive personal information.

It is also clear that the country does not have enough cyber security specialists. We raised this first when we examined how government protects its own information, then when we evaluated how successful the first National Cyber Security Strategy had been, and again when we investigated the response to the WannaCry attack. Yet such skills gaps persist; government research indicates that 48 per cent of businesses do not have enough people with the skills to carry out basic cyber security tasks such as setting up firewalls. Firms, including specialist cyber firms, also face a shortage of people with more advanced skills.

The government told us in 2019 that it would be some time before it could evaluate whether its efforts to increase the number of people with cyber skills were working. It is vitally important that these efforts do succeed. The unprecedented disruption to our way of life in recent weeks shows just how important it is to have people who can respond with speed and flexibility to meet unforeseen challenges. It seems inevitable that the coronavirus pandemic will normalise remote working. High-level and personal cyber security must be at the heart of this new normal.

Meg Hillier MP is chair of the Public Accounts Committee.

This article originally appeared in the New Statesman's Spotlight report on cyber security of May 2020. Click here for the full report.

Free trial CSS