A leading cybersecurity expert has issued a warning that the National Health Service (NHS) remains highly vulnerable to cyberattacks unless significant updates are made to its computer systems. This comes in the wake of a major ransomware attack that has severely disrupted healthcare services across London.
Professor Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre (NCSC), shared his concerns in an interview with the BBC. “I was horrified, but not completely surprised. Ransomware attacks on healthcare are a major global problem,” Prof. Martin stated.
Despite NHS England’s investment of £338 million over the past seven years to enhance cybersecurity resilience, Prof. Martin’s warnings suggest that more urgent and extensive actions are necessary to protect the NHS from future threats.
On June 3, 2024, a cyberattack targeted Synnovis, a pathology testing organization, severely affecting services at Guy’s, St Thomas’, King’s College, and Evelina London Children’s Hospitals. NHS England declared it a regional incident, resulting in the postponement of 4,913 acute outpatient appointments and 1,391 operations. The cyberattack raised significant data security concerns and has been described as one of the most severe cyber incidents in British history.
The Attackers and Their Demands
The Russian-based hacking group Qilin believed to be part of a Kremlin-protected cyber army, claimed responsibility for the attack.
They demanded a £40 million ransom, which the NHS refused to pay. Consequently, the group published stolen data on the dark web, reflecting a growing trend of Russian cyber criminals targeting global healthcare systems.
Prof. Martin, now a professor at the University of Oxford, highlighted three critical issues facing NHS cybersecurity: outdated IT systems, the need to identify vulnerable points, and the importance of basic security practices. “In parts of the NHS estate, it’s quite clear that some of the IT is out of date,” he noted.
He emphasized the necessity of identifying “single points of failure” in the system and implementing better backups. Improving basic security measures could significantly hinder attackers. “Those little things make the point of entry quite a lot harder for the thugs to get in,” Prof. Martin added.
Front-line Staff Concerns
Concerns among front-line staff are mounting in the wake of the recent cyber-attacks. Many have pointed to outdated equipment and a lack of unified systems as major vulnerabilities. A senior intensive care doctor in London remarked, “The NHS is vulnerable. It’s a patient safety issue, but there’s no interest in addressing it.”
An A&E consultant in north London highlighted the use of “decade-old computers and Windows 7,” noting that systems crash “every few months.” A junior doctor expressed concerns over the risks posed by outdated equipment and the impact of privatization. “Old computers pose a security risk for patient data. The Synnovis incident shows how vulnerable we are,” the doctor said.
A senior orthopedic surgeon described the fragmented nature of NHS IT systems, where a patient’s X-ray in one hospital cannot be accessed in another. “It’s shocking and worrying for cybersecurity,” he said.
Dr. Daniel Gardham from the Surrey Centre for Cyber Security echoed Prof. Martin’s concerns, emphasizing the link between outdated systems and cyber-attacks. “If you have old computers, then simply put, there’s going to be unpatched vulnerabilities,” Dr. Gardham explained. He stressed that while sophisticated attacks do occur, many breaches result from basic security oversights.
“It could be something really, really, simple and actually most likely it is something very, very, simple. It would be one person, perhaps, that had a weak password or left their computer unattended in a cafe.”
NHS England’s Response
An NHS England spokesperson told the BBC, “We are increasing cyber resilience across the NHS and over £338 million has been invested over the past seven years to help keep health and care organizations as safe as possible. Our ambitious Cyber Improvement Programme will support the NHS to respond to the changing cyber threats, expand protection, and reduce the risk of a successful attack.”
As cyber threats continue to evolve, the NHS must prioritize these updates to safeguard patient data and ensure the continuity of critical healthcare services. The collective insights from cybersecurity experts and front-line staff highlight the pressing need for immediate and sustained action to protect the NHS from future cyber threats.