Cyber security is critical to the future of the NHS
- 5 May 2016
The NHS has spent three decades investing in digital technologies to automate processes, support clinical care and record what it does to patients.
Progress has at times been painfully slow and patchy. There have been significant set-backs. But step-by-step, the health service has finally reached a critical mass of digitisation.
Digital Health Intelligence’s latest data shows that more than 50% of NHS acute trusts now have electronic patient record systems; a key litmus test and one that suggests many organisations now depend on IT to carry out their work and care for patients.
With such reliance on electronic data systems, and with the portability of data that comes with it, come new vulnerabilities to cyber security risks. Paper records were certainly insecure, but you could physically only grab as many as you could carry. Hack into a records database and you can, potentially, virtually make off with almost unlimited amounts of information.
Health is not an island
In industry after industry blue chip companies, including Sony, Microsoft, TalkTalk, and WalMart, have shown how just vulnerable leading organisations are to determined external attacks. Companies as diverse as infidelity specialist Ashley Madison and electronic toys specialist vTech were hacked in 2015.
Last year, the UK government estimated that online crime costs the country £27 billion a year; while a recent report by PricewaterhouseCoopers said cyber security incidents have risen by 38% since 2014.
So does that mean that health is next, and that cyber security is one of the biggest operational threats to NHS? Some believe that it already is; and the government has moved to set up an NHS cyber security service within the Health and Social Care Information Centre as part of its wider CERT or computing emergency response team programme.
To reflect the key importance of cyber security, Digital Health News is this week launching a new dedicated hub on the subject. We have already begun to include cyber security within our market intelligence service and through our CCIO and Health CIO network best practice webinars.
Now, we have commissioned leading security journalist Davey Winder to become a regular security columnist, and will be running regular contributions from the leaders of CareCERT. Later this year we will also run the first Digital Health Cyber Security Summit.
A marmite issue, subject to hype
Not all healthcare IT leaders believe that cyber security warrants this attention. The NHS IT Leadership Survey 2016 probed attitudes to the subject and found it is an issue that polarised opinion.
A quarter of IT directors thought cyber security issues were a ‘big threat’ and ‘high risk’, and just under a fifth of chief clinical information officers thought the same. But around 10% of both groups thought that security risks were ‘overstated’ and over-hyped by IT suppliers.
To date, there have been no high profile cyber security attacks in the NHS that have made the national media. The latest figures from the Information Commissioner's Office suggest that health has greater number of reported data security incidents than any other sector.
Yet the high figures are partly explained by the mandatory requirement to report incidents in health, by the sheer size and complexity of the health and social care system, and the sensitivity of health data.
In addition, most of the incidents that have been picked up by the ICO relate to lost laptops holding unencrypted data, USB keys left on trains, or failure to properly dispose of paper records.
While it is worth considering how much confidential data even a 16GB USB key can hold, many of these incidents are primarily centred on information governance and staff not following procedures for safeguarding data; rather than on the more lurid world of ‘hacking’.
US healthcare under attack
Even so, it is fast becoming an open secret that growing numbers of NHS organisations have suffered and are suffering serious, external cyber attacks.
While incidents have so far stayed out of the national media, freedom of information requests by enterprising local papers have uncovered incidents that are bound to be the tip of the proverbial iceberg.
NHS Orkney, for instance, is known to have suffered a ransomware attack, in which its systems were infected by a virus that locked down its internal files. The board was able to refuse to pay up to get the files unlocked, and restored them from a back-up, according to the Aberdeen Press and Journal.
Earlier this year, Royal Berkshire NHS Foundation Trust had to postpone operations after an XP virus got into its systems via an email. The trust was able to prioritise urgent work while isolating and dealing with the problem, according to the Reading Evening Post’s website.
In the US, by comparison, there has been a spate of very high profile cyber attacks and incidents; making cyber security the highest profile issue for many US health CIOs.
Until recently, perhaps the most high profile attack was revealed in January 2015, when health insurer Anthem announced that it had suffered a massive security breach affecting the records of nearly 80 million people.
Anthem turned out to have been the victim of a highly sophisticated attack emanating from China, in which the hackers had had access to its systems for months.
Investigators found the hackers had initially gained access by tricking an employee to click on a phishing email that was disguised to look like an internal email. The consequences for Anthem have been a catastrophic loss of trust, a spate of law suits and $230m in direct costs.
However, its problems have probably been eclipsed by the more recent spate of ransomware attacks across the US, including that on Hollywood Presbyterian Medical Centre.
It lost access to its computer systems after hackers encrypted its files; and then paid them $17,000 in bitcoin, arguing that this was the fastest and most efficient way to restore its systems and administrative functions.
Reputational risk
US healthcare data, which often contains financial data, is not the same as that in the UK. But it has become commonplace to hear conference speakers argue that health records are far more valuable than credit card details to potential fraudsters.
At a national level, perhaps the greatest risk of cyber security threats is probably not financial, or even operational but to the NHS’s reputation and public trust. Already wary of government and big data, the British public is particularly sensitive about its health data.
Failure to be clear about information governance, to define the limits of the use of its data, and to trust patients to opt in or out fatally wounded care.data. The fact that 1.2 million citizens have opted out of information sharing for any purpose beyond direct care is a mute testament to how big the failure has been.
Unless cyber security becomes a priority for both national and local health organisations, there is a real risk that high profile incidents – which will happen and will become public – have the potential to very severely dent public confidence.
And that will severely set back the many information and record sharing projects so vital to NHS modernisation and improvement.