show image

Two years after WannaCry, the NHS is still under-investing in security

In May 2017, the WannaCry ransomware virus swept through dozens of hospital trusts around the UK. The incident forced doctors to cancel around 19,000 appointments and left the health service with a £93m bill. It also prompted the government to pledge £150m towards improving the health service’s defences.

But according to a new report published this week, many trusts are still critically under-investing in security. Researchers at Imperial College London warn that while some progress has been made since the attack, out-dated computer systems, a lack of investment and a deficit of skills and cyber awareness means many hospitals are still vulnerable to attacks more than two years on.

“Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased,” said Dr Saira Ghafur, lead author of the report. “However we still need further initiatives and awareness, and improved cyber security ‘hygiene’ to counteract the clear and present danger these incidents represent.”

The report warns that further ransomware attacks could once again leave medical staff locked out of their systems and unable to provide patient care. But it also warned that new attacks could compromise life-saving medical equipment or lead to the theft of patient data.

The authors of the report noted that the launch of NHSX, a new technology unit founded by the health secretary Matt Hancock, would be tasked with clarifying who within the NHS is responsible for cyber security.

Although the National Cyber Security Centre has assisted NHS trusts in the past and NHS Digital provides advice on technology, hospitals are responsible for their own security setup. To mitigate the threat, trusts should allocate funding towards employing cyber security professionals and introducing firewalls to contain attacks, the report said.

Lord Darzi, the head of Imperial’s Institute of Global Health Innovation, said: “We are in the midst of a technological revolution that is transforming the way we deliver and receive care. But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel.”

A spokesperson for NHSX commented: “The NHS is determined to keep its systems safe from cyber attack and every part of the NHS is given clear direction to protect their own systems and the information they hold whilst nationally cyber defences are in place, led by NHS Digital working closely with the National Cyber Security Centre.

“There is still much to do, which is why an extra £150m is boosting hospital defences alongside a national deal on Microsoft licences and NHSX will be setting national strategy and mandating cyber security standards so that local NHS and social care systems have security designed in from the start.”