The extent of cyber attacks on the NHS has been revealed in research from VMware. The study, which was co-sponsored by Intel, revealed that almost a third of the IT decision makers in the NHS surveyed expressed certainty that NHS’ electronic patient data has been infiltrated by hackers, and 80 percent of those were confident that electronic staff records have also been compromised.
With many NHS trusts struggling to keep pace with the frequency and sophistication of cyber attacks, the research explored security practices amongst IT decision makers at those organisations. Not only did the study reveal a growing threat to patient care and front-line services, it also shed light on the consequences of successful breaches.
Nearly two thirds (62%) fear attacks on equipment or facilities could result in patients coming to harm; while over a quarter (29%) have had to cancel or postpone appointments following an incident; and a quarter (26%) have had to halt a research project following an incident.
>See also: Cyber security in the NHS: useless operating systems and legacy applications
With recently-announced £21 million funding to help trusts defend against cyber attacks such as WannaCry, 70% of respondents admitted more funds need to be spent and more done to address the skills needed to keep pace with increasingly sophisticated threats.
Following an attack, 28% of respondents stated they had lost skilled staff, and 38% believe their team lacks the skills to improve cyber security infrastructure and strategy.
David Houlding, director, healthcare privacy & security, Intel said: “Cyber criminals today are taking advantage of unpatched systems and unwitting employees with ransomware and phishing attacks, resulting in a record number of breaches worldwide. It is now more important than ever to comply with data protection laws and security standards, know the security posture of your organisation relative to the industry, and proactively remediate gaps to actively address security issues.”
The study also suggests better education is required for staff and the public around cyber threats: although the IT leaders surveyed said that hacktivist groups (50%) and individual cyber-criminals (49%) are most likely to leak NHS data, NHS staff (32%) and even patients (30%) themselves weren’t far behind. With many attacks aimed at end user devices, NHS staff are an important line of defence against the cyber threat.
>See also: Future of the NHS: new technologies and the networks behind them
Tim Hearn, director, UK Government and Public Services, VMware said, “Across the NHS, there are many fantastic examples of IT leaders being incredibly innovative in embracing new technologies to defend their complex infrastructures against cyber-threats. But the NHS is facing an uphill battle in keeping patient data safe against a backdrop of more persistent and diverse threats which increasingly target applications, bypassing traditional security. It needs to modernise its approach and focus on protection from the inside out; this means investing more than the 10 percent of IT budget on security that it currently sets aside.”
“Its leaders are clearly saying two things – that the risk of data breach will have a significant negative impact on patients and the UK as a whole, and that they need more support, investment and skills in remaining secure. A huge part of this is introducing a ‘People, Process and Technology’ approach to security – ensuring that, as well as having the right technology in place, people receive the right training and education to help tackle the threat.”