The NHS was victim to the ‘biggest ransomware offensive’ in history earlier this year, affecting 47 Trusts. It was fortunately stopped by a cyber security researcher before it got completely out of control. In October 2016, a hospital in Wales had 4,766 staff files stolen when the software supplier Landauer was hacked. Experts and the general public question how safe the highly sensitive data held by the NHS is, and if there are sufficient processes in place to prevent further attacks and breaches.
Both attacks were sophisticated and well-planned, exploiting NHS IT systems that are out of date and unprotected. Ex-chief of NHS Digital, Kingsley Manning, estimated it would take £100m a year to update systems and protect Trusts against cyber-attacks and data breaches.
These recent attacks could have been stopped by investment in anti-virus software and more sophisticated processes. However, many breaches happen due to human error and poor processes.
In 2010, an NHS Trust sold second hand hard drives on eBay that had not been wiped of patient data. In May 2016, a sexual health clinic employee revealed the email addresses of 700 patients receiving a newsletter about HIV, by pasting the addresses into the “To” field rather than the “Bcc” field. In 2014, 498 data breaches were self-reported to the Information Commissioners Office (ICO) making the NHS the ‘most investigated’ for potentially serious data breaches.
The potential for mistakes like these are present in all industries. Unfortunately, when they are made in the NHS the consequences can be far higher.
Yes, the NHS needs to invest in updating their computer systems and improving the vetting and selection of software suppliers. However, investments need to be made in the training of staff and improving antiquated processes to eliminate these types of errors.
Since the WannaCry ransom attack, £21 million has been committed to 27 major trauma centres across England both to update their IT systems and to improve staff training. It looks we are heading in the right direction.