Fix NHS gaps or face more attacks – ex cyber chief
By by Guy Lynn and Stephen Menon, guy_lynn,
BBC Investigations, London
A leading cybersecurity expert has warned that the NHS remains vulnerable to further cyber-attacks unless it updates its computer systems.
This stark assessment comes in the wake of a major ransomware attack that has severely disrupted healthcare services across London.
Prof Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre (NCSC), told the BBC: “I was horrified, but not completely surprised. Ransomware attacks on healthcare are a major global problem.”
NHS England said it was increasing its cybersecurity resilience and had invested £338m in the past seven years addressing this issue.
But Prof Martin’s warnings suggest more urgent action may be needed.
A recent British Medical Association report highlighted the NHS’s ageing IT infrastructure, revealing that doctors waste 13.5 million hours annually due to outdated systems – equivalent to 8,000 full-time medics’ time.
The 3 June cyber-attack, which Prof Martin described as one of the most serious in British history, targeted Synnovis, a pathology testing organisation, severely affecting services including at Guy’s, St Thomas’, King’s College and Evelina London Children’s Hospitals.
NHS England declared it a regional incident, resulting in 4,913 acute outpatient appointments and 1,391 operations postponed and major data security concerns.
The Russian-based hacking group Qilin, believed to be part of a Kremlin-protected cyber army, demanded a £40m ransom. When the NHS refused to pay, the group published stolen data on the dark web.
This incident reflects a growing trend of Russian cyber criminals targeting global healthcare systems.
Now a professor at the University of Oxford, Prof Martin highlighted three critical issues facing NHS cybersecurity: outdated IT systems, the need to identify vulnerable points, and the importance of basic security practices.
He warned: “In parts of the NHS estate, it’s quite clear that some of the IT is out of date.”
He stressed the importance of identifying “single points of failure” in the system and implementing better backups.
Prof Martin also emphasised that improving basic security measures could significantly hinder attackers, stating: “Those little things make the point of entry quite a lot harder for the thugs to get in.”
Emphasising the severity of the recent attack, he concluded: “It was obvious that this was going to be one of the most serious cyber incidents in British history because of the disruption to healthcare.”
‘Cybersecurity is costly’
Some front-line staff who spoke anonymously are very worried following the recent cyber attacks, with reference being made to outdated equipment they are using.
A senior intensive care doctor in London warned: “The NHS is vulnerable.
“It’s a patient safety issue, but there’s no interest in addressing it. People either don’t know or don’t want to hear about it.”
An A&E consultant in north London told us they were working with “decade-old computers and Windows 7” and that their systems crashed “every few months” while a junior doctor highlighted the risks of outdated equipment and privatization.
“Old computers pose a security risk for patient data. The Synnovis incident shows how vulnerable we are,” the doctor said.
A senior orthopaedic surgeon described the fragmented nature of NHS IT: “There’s no unified system. A patient’s X-ray in one hospital can’t be accessed in another.
“It’s shocking and worrying for cybersecurity.”
Another junior doctor added: “The NHS isn’t doing enough.
“Cybersecurity is costly, and our funding has been cut for over a decade.
“It’s incredibly frustrating.”
Dr Daniel Gardham from the Surrey Centre for Cyber Security echoed Prof Martin’s concerns about outdated systems and their potential link to cyber-attacks.
“If you have old computers, then simply put, there’s going to be unpatched vulnerabilities,” he said.
“This means that there are ways in for attackers.”
Dr Gardham stressed that while sophisticated attacks did occur, many breaches result from basic security oversights.
“It could be something really, really, simple and actually most likely it is something very, very, simple.
“It would be one person, perhaps, that had a weak password or left their computer unattended in a cafe.
“A lot of cyber security attacks are not sophisticated.”
An NHS England spokesperson told the BBC: “We are increasing cyber resilience across the NHS and over £338 million has been invested over the past seven years to help keep health and care organisations as safe as possible.
“Our ambitious Cyber Improvement Programme will support the NHS to respond to the changing cyber threats, expand protection and reduce the risk of a successful attack.”