Lord Darzi has called on the NHS to make drastic improvements in cyber security in a new report presented to the House of Lords.

A white paper written by researchers from Imperial College London’s Institute of Global Health Innovation says fresh investment is “urgently needed” to defend against threats that could put patient safety at risk.

Led by Lord Darzi, the report makes recommendations on key areas that NHS trusts must improve upon in order strengthen IT security.

Amongst these are the hiring of more cyber security professionals into IT teams, building “fire-breaks” into networks that allow staff to cut off and isolate certain systems if they become infected with malware, and having clear lines of communication for receiving advice on cyber security matters.

The paper highlights healthcare technologies that could pose a serious threat to patients if not made secure by design, such as robotics, artificial intelligence and implantable medical devices.

Lord Darzi, co-director of the Institute of Global Health Innovation (IGHI), said: “We are in the midst of a technological revolution that is transforming the way we deliver and receive care. But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel.

“For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation’s health are secure.

“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks.”

For the paper, the research team collated evidence from NHS organisations and examples of previous attacks in the UK and worldwide.

Dr Saira Ghafur, lead author of the report from the IGHI, said that while awareness of cyber-security had improved in recent years, it was important to continue building in new means of counteracting fresh attacks as technologies progressed.

“Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased,” said Dr Ghadur.

“However, we still need further initiatives and awareness, and improved cyber security ‘hygiene’ to counteract the clear and present danger these incidents represent.

“The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.”

Essential safeguards

The WannaCry attack in 2017 left the NHS with a clean-up bill amounting to £92m, after ransomware impacted operations at some 81 trusts and left more than 30 locked out of IT systems.

Thousands of appointments were cancelled as a result, in some cases forcing hospital staff to send patients elsewhere for treatment.

The NHS drew criticism for its apparent failure to put fundamental safeguards in place that could have lessened the ransomware’s impact. This led NHS England to draw up a game-plan for driving improvements in  cyber-security procedures, though some MPs have voiced concerns that these have not been implemented quickly enough.

One of the recommendations made by then-NHS England CIO, Will Smart, was the appointment of a chief information security officer at NHS Digital – a role that was filled by former GlaxoSmithKline security chief, Robert Coles, for a whole of three months.

The role has since been taken up by Dan Pearce.

Meanwhile, Health secretary Matt Hancock recently revealed that more than 100 NHS boards had completed GCHQ-accredited cyber security training, two years after WannaCry. It was not made clear whether those that completed their training were of the 236 hospital trusts in England, or of primary care and affiliate NHS organisations.

Not specific to the NHS

Researchers from Imperial College made a note to praise “existing measures put in place across the health system” to improve cyber security, pointing to an ongoing £150m investment by the department of health and social care and the creation of the new NHSX unit, which has been tasked with overseeing digital transformation.

They also stressed that the “situation is not specific to the NHS”, and that all healthcare systems around the world were vulnerable to attack.

Dr Ghadur noted that financial belt-tightening made it particularly difficult for NHS trusts to get the investment they needed to improve cyber resilience.

“Addressing the issue of cyber security will take time, as we need a shift in culture, awareness and infrastructure. Security needs to be factored into the design of digital tools and not be an afterthought.

“NHS trusts are already under financial pressure, so we need to ensure they have the funds available to ensure robust protection against potential threats.”