Securing a new lifeline for the NHS
Foreword
The WannaCry ransomware attack hit the NHS
hard, affecting as many as 40 hospitals across
24 trusts1. It hit services, communications points,
and ultimately affected patient care.
WannaCry served as a huge wake-up call for the
healthcare industry and for the UK government
as a whole. According to guidance from the
National Cyber Security Centre2, an attack of
this type and scale could recur.
The subsequent response from the NHS was
interesting; while on the whole it managed to
protect essential services, different hospitals
and NHS trusts handled the attack in different
ways – some better than others.
Either way, the attack highlighted how valuable
NHS data is to cyber criminals. Whether it’s
personal data on people or information on
ground-breaking research, data is an incredibly
important asset in helping to deliver patient
care; criminals realise this and are willing to halt
services to gain money or aim to sell the data
themselves. A communications provider Maintel
recently said that “medical information can be
worth ten times more than credit card numbers
on the deep web”3.
It is for this reason that strong data security
standards are essential for organisations in the
healthcare sector.
The importance of such standards is only
growing by the day. With the NHS’ plans to
become paperless by 2020, even more data and
services will be available online, increasing the
potential for significant data loss. Meanwhile,
new data-sharing schemes are continually being
proposed and introduced within the public
sector as well as between the private sector
and the NHS. These projects are designed to
improve and extend the services offered by
the NHS, satisfying demand for a 24/7 service
and providing a more joined-up approach to
healthcare to bring greater benefits.
The NHS, constantly4 ranked amongst the top
healthcare systems in the world, has to be able
to demonstrate that it can protect this data in
order to restore public confidence.
As a result of the WannaCry disruption, the
NHS now has the opportunity to lead the way
in clinical data security. For the NHS to succeed
in delivering world class medical care to any
one any where, the public must have complete
confidence in the security of their personal
information
However it is facing a tough balancing act,
having to cope with budget cuts and underresourced IT teams – all while having to be as
resilient as possible in thwarting and reacting to
possible cyber threats.
To discover more about how the cyber threat on
the NHS is perceived, we questioned IT decision
makers (ITDMs) at NHS organisations as well
as 2,000 consumers about their experience
with and views of cyber security threats – be it
external sources, internal threat, processes or
technologies.
This report explores the key steps NHS
organisations can take in improving their
approach to security and maintaining the trust
of the UK public and their staff.
Tim Hearn, Director, UK
Government and Public
Services, VMware
David Houlding, Director,
Healthcare Privacy & Security,
Intel
http://www.wired.co.uk/article/nhs-trusts-affected-by-cyber-attack
https://www.ncsc.gov.uk/news/latest-statement-international-ransomware-cyber-attack-0
3
http://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-medical-data-records-stolen-whyso-valuable-to-sell-financial-a7733171.html
4
http://www.bbc.co.uk/news/health-40608253
1
2
1
Securing a new lifeline for the NHS
About this research
VMware commissioned research to explore how
cyber attacks on the NHS are impacting its
ability to provide care and protect the sensitive
and personal data that it holds. On VMware’s
behalf, independent research house Opinion
Matters questioned 100 NHS IT decision makers
and 2,000 members of the UK public about
their view on the cyber threat to the NHS. The
research was carried out between June and July
2017.
The challenges of protecting
patient data
The NHS holds data for more than 65 million
patients and employs 1.5 million people5.
There is an enormous amount of complexity
involved in ensuring that patient data is always
accessible. This need for accurate, real time
insight is only increasing given the growing use
of data to help patient outcomes.
The NHS deals with over a million patients
every 36 hours, creating a huge amount of data
which needs to be accessed by an incredibly
diverse array of devices. The IT infrastructure
that sits behind every interaction with a patient,
from diagnosis to treatment, is therefore more
important than ever. The NHS recognises this
and there have been a number of technologybased projects over the last few years that aim
to make the best use of the data that we now
have at our fingertips to inform and ultimately
improve the care process. Some of the projects
haven’t had the success that they hoped for but
for the ones that have succeeded, the benefits
have been life-changing.
Unfortunately, it’s the failed projects that make
the headlines, and with little communicated
about the thousands of IT-focused projects that
take place within the NHS, it’s unsurprising that
the majority (70%) of the public respondents
believed that too little is being invested in IT
security.
5
As the increasing cyber threat is making almost
daily headlines, promoting these successes is
important.
To meet this increasing sophistication head on
means involving everyone in the protection of
the NHS – from the board and IT leaders to the
clinicians and operational staff. That said, IT
teams and NHS organisations are an invaluable
part of ensuring that the IT environment is as
safe as it can be. Unfortunately, the research
revealed that expertise in IT security is lacking
and risks further reduction. More than a quarter
(28%) have lost skilled staff following a cyberattack, while 38% believe they or their team lack
the suitable skills to improve the NHS’s cyber
security infrastructure and strategy. This is
worrying: without the right expertise, individual
organisations within the healthcare system may
be putting data at risk of being stolen or leaked,
and of systems being shut down.
NHS IT teams acknowledge that threats to their
organisations’ security come from external
sources such as hacktivist groups (50%) and
individual cyber criminals (49%). However, they
are also aware of an insider threat – labelling
their own staff (32%) and patients themselves
(30%) as significant risks. Although these
insider leaks may not always be intentional
or malicious, if patient data is accidentally
accessed by someone it shouldn’t be, the
effects could be severe.
That suggests that there needs to be action
on two different levels: from a technology
standpoint, the NHS needs to invest in
expertise and secure technologies, and from an
awareness perspective, cyber security training
is essential for all NHS employees – particularly
when considering the number of data breaches
made by NHS trusts over the last
Please complete the form to gain access to this content
