As the world becomes more and more paperless, so too does the NHS. There is currently a drive to reduce the number of paper records in the NHS over the next 10 years. However, what is being done to protect data once it is taken out of a secure filing cabinet and placed on the World Wide Web?
Before, we answer this question, we have to consider how big the threat actually is. The answer is that the threat of cyber-attacks on hospitals is very real. In October 2016, Northern Lincolnshire and Goole (NLAG) NHS Foundation Trust was the victim of a cyber-attack forcing all operations and appointments to be cancelled. A decision was made to shut down the entire IT system so that the virus could be isolated. This caused massive disruption to many of the services provided by these hospitals.
It is important to remember that the scale of this problem is not confined to the UK. Cyber-attacks are an increasing problem all over the world. In February 2016, the Hollywood Presbyterian Medical Centre in Los Angeles was a victim of ransomware. Hackers demanded a ransom of 9,000 bitcoins (approximately $5.8m USD) in return for files and systems to be restored. Eventually, a ransom of $17,000 USD was paid after a down time of 5 days.
So how much of this is a threat to our NHS? Of course, we have already mentioned the example of the NLAG Trust back in October. But how common is this? According to Peter Smithson, a facilitator for the National Performance Advisory Group, patient data is now worth between 10 and 20 times more than credit card data. This makes it very attractive in the eyes of the criminal and is a reason why cyber-attacks on hospitals are on the rise. In 2014, there was 3,133 breaches of personal data and the following year, this increased to 4,177. Figures for 2016 are not yet available, but experts predict that it will have increased further.
But why would a hacker be interested in accessing the computer system of a hospital? Firstly, the data could be held to ransom. A hacker could demand hundreds of thousands of pounds for the safe return of stolen data to an NHS Trust. The hacker can also blackmail individual patients requesting money to be transferred for the safe return of their own personal data. Alternatively, some hackers want to sell the patient data to researchers developing drugs for very specific medical conditions.
Cyber criminals are no different to any other criminal. They will more often than not go for the easy target and in hospitals this is usually the older medical devices. Older medical devices do not have the same levels of in-built security and so are often a primary target for a cyber-attack. Medical devices that run off of older operating devices such as Windows XP are particularly vulnerable. Examples include diagnostic equipment, therapeutic equipment and life support systems.
We have seen from a previous blog post back in July that the NHS is increasingly using a central mainframe in combination with RFID technology to track medical devices around hospitals. This is all very good but what is being done to protect this technology from hackers?
There is technology already out there that has in-built security features, such as MSE’s Blue Force range of centrifuges. These centrifuges use clever technology which can protect the instrument from hackers when they are linked up wirelessly. Of course, no system is 100% secure, but the Blue Force centrifuges use cutting edge Programmable Logic Controller (PLC) technology developed in conjunction with Omron that offer better protection than nothing at all.
However, it is not just older medical devices which have been singled out as a weak point. The lack of knowledge from medical staff is also an issue. More often than not, clinical staff are completely oblivious to the fact that their own medical devices could be hacked. This means that hackers are able to operate undetected. Medical devices in your hospital may already be infected without you even knowing. Hackers could be secretly changing parameters on medical devices in order to sabotage the system. Clinical staff need to make sure that they question any anomalies and alert the relevant person of their concern.
Perhaps the biggest weak point in the NHS is the lack of investment in protecting patient data and wirelessly connected medical devices. With NHS budgets already stretched to their limit, improvements in cyber security is not very high on the list of priorities.
An investigation carried out by Sky News found that many NHS Trusts either spend very little or no money at all on protecting themselves. Sky News concluded that NHS Trusts are ‘putting patients at risk’. The investigation found that seven NHS Trusts spent absolutely nothing at all on cybersecurity in 2015. Following a Freedom of Information request, Sky News found that the average annual spend was just £23,040 and forty five NHS Trust were unable to specify their cybersecurity budget at all.
In conclusion, it seems that the increase in digitalised data and wirelessly connected devices is at odds with the investment in cybersecurity. In the same way that the financial services sector has implemented a raft of measures to counter act the threat of cyber-attacks, so too must the healthcare sector in order to protect themselves and the patients they serve.