Diabolus ex machina
/This week the NHS services in my area were devastated by a cyber attack that stopped services in their tracks. I’m not exaggerating when I use the word ‘devastated.’ Blood tests were compromised as a result of the cyberattack on Synnovis, the company that provides pathology services to two major south London NHS Trusts.
As a result, non-essential bloods in the community have been postponed, while things are still worse in hospitals. Operations have been cancelled and every ward has been left scrambling as they go back to paper requests. And it is not just the amount of extra work in an already stretched healthcare system that astonishes me. The risk of the situation gives me the heebie-jeebies. Imagine not being able to accurately measure the blood levels in a woman who suffered a major haemorrhage after childbirth?
Needless to say, this was the last thing NHS workers needed.
As someone who was there for the last ‘WannaCry’ cyber attack on the NHS in 2017, I remember that after the initial shock had passed, I became aware of just how vulnerable health service IT systems were. Like many things in underfunded hospitals, IT systems are worse for wear. From excessive log-on times to multiple different clunky software programs, healthcare IT seems clunky in comparison to the cutting edge tech of private companies.
Here are some of the issues with NHS IT systems as I see it:
Vulnerability of single data systems
The aspiration of NHS healthcare is to provide joined up, accessible care from any where in the country. Indeed, this should be easier in a system like the NHS, where there is one umbrella organisation and fairly standardised working practices and legislation. IT systems, however, have been commissioned differently across Trusts, much to the consternation of those working in (and using) the healthcare system. Changing Trusts, I often have to get used to a new IT system and as a GP, cannot easily see what has happened to a patient, even in a local hospital. This has implications for continuity of care and safeguarding.
In the Synnovis cyber attack devolvement of IT systems has helped contain the disruption to a few London NHS Trusts. I can only imagine the disruption if Synnovis was the pathology provider for the whole country. However, if the NHS’s is serious about implementing a single data system (which I think is a good thing) it needs the cyber security worthy of such an important single target data system.
Vulnerability in upkeep and maintainance
NHS IT staff have a hell of a job to do. Given how big Trusts are and the disrepair a lot have fallen into, there are many vulnerable points in IT systems. Maintaining good digital hygiene is difficult given the many stations and users accessing mail, software and cat videos (on their breaks!) In order to keep IT systems robust and safe, Trusts need the best IT staff working within their capacity with adequate resources. Unfortunately, this does not sound like the NHS.
Although the government have promised more investment in its NHS Digital Plan, without a fully equipped workforce, this may be a case of putting the cart before the horse.
Vulnerability in external IT providers
In order to deliver a single data system, healthcare services need to prioritise cyber-security. This can be complicated as the many NHS IT services are provided by private companies that may then have vulnerable systems themselves. For example, Synnovis’s parent company, Synlab, suffered an attack in its Italian healthcare systems in April, a foreshadowing of this week’s UK attack.
How can this be prevented from the UK end? It’s difficult to say but I suggest extreme scrutiny and vetting of external providers before commissioning services. NHS Digital must be working on this.
Emotional vulnerability
When the 2017 ‘WannaCry’ attack happened, I was in disbelief that the NHS could be a target. As I sat on a broken chair in a windowless store cupboard-turned doctors’ office, I couldn’t believe hackers would think a broke and broken NHS a worthy blackmail target. However, my opinion has changed since then.
Of course, healthcare is a prime target for cyber attacks. What’s more emotive or high-stakes than healthcare? Compared to the British Library hack of last year (no offence British Library - I feel you!) ransoming sensitive and timely healthcare information is way more likely to pay. We don’t negotiate with terrorists? Well, what if they have your toddler’s chemo-related white cell count?
Cyber attacks on healthcare systems are not off limits for calculated criminals, who have no limits. In fact, like defence, government and the other major holders of sensitive material, they are set to be the number one targets for the future.