The use of outdated software and operating systems in the NHS leaves the health service “vulnerable to attack”, new research has found.

Internet of Things (IoT) devices were identified as the weakest link in an IT network, according to research from software technologies company Check Point, which highlighted ultrasound machines as particularly vulnerable.

To investigate, Check Point tested the cyber security of a Philips HDI 4000 ultrasound machine and were able to gain access to the machines entire database of patient images.

The reason for its weakness? The operating system it uses. The machine is based on Windows 2000, a platform that no longer receives updates which, due to its “well known security gaps”, leaves it vulnerable to attack.

When asked how easy it was to hack into the software Roman Zaikin, security researcher at Check Point said: “It was 3 out of 10.”

“We simply used an exploit for a known, old vulnerability to gain control of the hardware, with only a small modification needed to make it work on the machine,” he told Digital Health.

“We tried three different attacks and all three were relatively easy to do.  We were able to quickly download all of the scans of patients.  We were able to manipulate the scans and replace patient names, and we were also able to load ransomware on the machine.

According to Philips that particular model is no longer sold by the company and any that are still used within the NHS are operating on a support system that ended years ago.

Individual NHS organisations are responsible for the devices they procure, an NHS Digital spokeswoman said, but she confirmed a “small minority” may still be using older operating systems.

“We are aware that some older operating systems are used in the NHS but they are a small minority. We don’t hold specific figures on machines using Windows 2000,” she told Digital Health.

“Hospitals have a responsibility to manage their own cyber security arrangements which are specific to their needs.

“Centrally, we are working toward the recommendations made by the National Audit Office and Public Accounts Committee to help Trusts and other NHS Organisations to build resilience and improve their response following a cyber incident.”

But as long as out-dated software systems are used in the NHS, and updates are slow, it’s a “perfect storm” for cyber security threats, Zaikin added.

“Hospitals have thousands of devices connected to the IT network, and any one of them can have vulnerabilities in either the hardware of software used by such devices that can be exploited,” he added.

“And hospital IT teams simply do not have the time or resources to manage and update every single device. Even if a device is updateable, the update cycle may be very slow, which means vulnerabilities remain on the system.  It’s a perfect storm.”

What needs to be done?

Zaikin suggests hospitals and other healthcare organisations need to invest resources into separating patient data from the rest of their IT networks to make it harder for hackers to find and make it simpler to isolate attacks if they occur.

“This network segmentation would also enable these organisations to prevent data stealing or encrypting malware from propagating further across the network and impacting wider systems,” he told Digital Health.

“Data that hospitals hold is extremely valuable.  Patient information is as highly prized as a credit-card number, because it can be used to target victims in spear-phishing and other kinds of attacks.”

Cyber security is arguably not a new threat, but Zaikin warns as we move towards a more digital NHS the risk becomes greater.

The WannaCry attack two years ago proved the NHS was woefully unprepared for cyber threats and served as a wake-up call for more robust systems.

WannaCry: Where are we now?

On 12 May, 2017 the WannaCry ransomware outbreak devastated hospital IT systems. Just after 1pm in the afternoon NHS Digital’s CareCERT unit sent an alert to the Department of Health and Social Care informing them that four NHS trusts had reported ransomware attacks affecting a number of hospitals.

By 4pm, the ransomware had spread to 16 trusts and it was at this point NHS England publicly declared a major cyber security incident.

It led to disruption of at least 80 out of 236 hospital trusts in England, as well as 603 primary care and affiliate NHS organisations.

A devastating report from the National Audit Office into the impact of WannaCry concluded that Britain’s health service was woefully unprepared for a cyber-attack of such scale, despite being warned of a threat as far back as 2014.

In response NHS England published its “lessons learned” report, calling for a chief information and security officer (CSIO) and dedicated cyber security lead to be appointed.

Later, in February 2018, NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) that 200 NHS trusts tested against cyber security standards since WannaCry had failed.

NHS Digital was not able to confirm how many of the 22 recommendations in the lessons learned report have been met.

“We are working closely with our partner agencies across government healthcare to deliver the recommendations made by the Chief Information Officer last year,” a spokes woman told Digital Health.

“We are in the process of reviewing our progress against the recommendations we are responsible for, and plan to publish, our findings.

The deadline for trusts to pass cyber security training is 2021. So far, all 227 trusts have been through the assessment process, but NHS Digital was unable to comment on the number that had passed for “reasons of confidentiality”.

In January 2019, NHS Digital’s first CSIO, Robert Coles, resigned and has yet to be replaced.