The BCS says lack of NHS accountability and investment in cyber security measures were to blame for the widespread disruption caused across the health service by the Wannacry virus.
In a new report, the BCS argues that the healthcare sector has struggled to keep pace with cyber-security best practice and with a systemic lack of investment.
The new report outlines a ‘blueprint’ on future NHS cyber security, arguing the NHS “failed to keep pace with cyber security best practise with a ‘systemic’ lack of investment”, and that “some parts of the NHS lacked access to trained cyber security professionals.
The opening of the blueprint states. “It is not acceptable that where good practice exists, it is not used – especially where lives are put in danger. This is a systemic issue, and we need a systemic solution”. The central recommendation of the blueprint is to build a community of trained practitioners to ensure known best practice is applied in cyber security.
It states, “Cyber security threats affect every part of society; including the entire public sector, corporations small and large, everywhere that computer systems are used. However, the role the NHS plays in our lives and the nature of the threat to it puts this as the first priority.”
In the report, the BCS says some hospital IT teams lacked access to trained, registered and accountable cyber-security professionals with the power to assure hospital boards that computer systems were fit for purpose.
BCS policy director David Evans said: “Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the Wannacry ransomware virus was an inevitability…”
The BCS has partnered with Microsoft, IBM, BT, the RCN, the Patient’s Association, NHS Wales, BT and Microsoft to produce a blueprint that outlines the steps NHS trusts should take to avoid future attacks being so disruptive.
Top of the BCS list is ensuring there are standards for accrediting relevant IT professionals. They argue the number of properly qualified and registered IT professionals, and cyber security experts, needs to be increased.
NHS boards are urged to ensure they understand their responsibilities, and how to make use of registered cyber security experts.
The document states: “We have been in contact with those working inside and out of the public sector, our colleagues working on relevant NHS policy and academic experts. We have the start of a broad coalition of organisations that wish to work together to build a cyber-safe NHS.”
The document adds, “we are looking to eliminate the threats from poor practice, and create a supported professional community”.
National Audit Office cyber security expert Tom McDonald last week published a post stating “The NHS was vulnerable to this malware largely because its software was old and hadn’t been ‘patched’ against a known vulnerability. In other words, this was an avoidable problem.”
A three-year draft roadmap is provided by the BCS for creating a ‘cyber safe NHS’ which centres on training and accrediting more cyber security professionals in healthcare. Other priorities identified include ‘inducting boards’ on cyber issues, and commissioning original research.
Underpinning the roadmap is an accompanying pledge to work together with partners in a collaborative fashion.
“I believe it is right to recognise the good work done in preventing the attacks and everyone who had worked tirelessly to minimise disruption,” said Andy Kinnear, chair of BCS Health and Care.
“We need to build on that with collective input from those who care about protecting the public from cyber threats. That’s why I support the Blueprint for Cyber Security in Health and Care.”
The report can be found here