NHS remains vulnerable to cyber-attacks

According to a whitepaper by Imperial College, the NHS must take urgent steps to defend itself against hackers.

The findings of the whitepaper on NHS Cyber Security was written by researchers from Imperial College London’s Institute of Global Health Innovation, and was presented at the House of Lords. 

The report collated evidence from NHS organisations and examples of previous attacks in the UK and across the globe. It suggested that NHS hospitals are being put at risk due to a combination of outdated computer systems, a deficit of skills and awareness in cyber security, and a lack of investment.

A cyber-attack on a hospital’s computer system can have a devastating impact, leaving medical staff unable to access important patient details, meaning that staff can not offer the best appropriate care. Additionally a cyber-attack can lead to patient data being stolen. 

The report identified a number of technologies that are utilised in the health system such as artificial intelligence, robotics, and implantable medical devices. To which all must have security built into the design say scientists. 

Lord Darzi, Co-Director of the Institute of Global Health Innovation (IGHI), said:

“We are in the midst of a technological revolution that is transforming the way we deliver and receive care. But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel. For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation’s health are secure.

“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks.”

There has been an increase in cyber-attacks against healthcare systems, with the most infamous one being the WannaCry attack in 2017. The attack resulted in staff not being able to gain access to patient data and critical services in around 34 NHS trusts, as well as thousands of appointments being cancelled. The total cost of the attack to the NHS has been estimated to be around £92m. 

Dr Saira Ghafur, lead author of the report from the IGHI, explained:

“Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased. However we still need further initiatives and awareness, and improved cyber security ‘hygiene’ to counteract the clear and present danger these incidents represent. The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.”

The Department of Health and Social Care announced, in October 2018, a spend of £150m over the next three years to protect key services from the threat of cyber-attacks. Additionally a new unit named NHSX was announced which would oversee digital transformation.

However further investment and awareness is required at all levels of the health system.

Dr Ghafur added:

“Addressing the issue of cyber security will take time, as we need a shift in culture, awareness and infrastructure. Security needs to be factored into the design of digital tools and not be an afterthought.

“NHS trusts are already under financial pressure, so we need to ensure they have the funds available to ensure robust protection against potential threats.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/