NHS IT leaders fear harm to patients from widespread hacking of confidential data

New research findings published today show the increasing threat cyber attacks pose to the NHS.

The VMware study, which was co-sponsored by Intel, reveals that almost a third of the IT decision makers in the NHS surveyed expressed certainty that NHS electronic patient data has been infiltrated by hackers, and 80% of those were confident that electronic staff records have also been compromised.

With many NHS trusts struggling to keep pace with the frequency and sophistication of cyber attacks, the research explored security practices amongst IT decision makers at those organisations. Not only did the study reveal a growing threat to patient care and front-line services, it also shed light on the consequences of successful breaches:

  • Nearly two thirds (62%) fear attacks on equipment or facilities could result in patients coming to harm.
  • Over a quarter (29%) have had to cancel or postpone appointments following an incident.
  • A quarter (26%) have had to halt a research project following an incident.

With recently-announced £21m funding to help trusts defend against cyber-attacks such as WannaCry, 70% of respondents admitted more funds need to be spent and more done to address the skills needed to keep pace with increasingly sophisticated threats. Following an attack, 28% of respondents stated they had lost skilled staff, and 38% believe their team lacks the skills to improve cybersecurity infrastructure and strategy.

The study also suggests better education is required for staff and the public around cyber threats:  although the IT leaders surveyed said that hacktivist groups (50%) and individual cyber-criminals (49%) are most likely to leak NHS data, NHS staff (32%) and even patients (30%) themselves weren’t far behind. With many attacks aimed at end user devices, NHS staff are an important line of defence against the cyber threat.

Tim Hearn, Director, UK Government and Public Services, VMware said: “Across the NHS, there are many fantastic examples of IT leaders being incredibly innovative in embracing new technologies to defend their complex infrastructures against cyber-threats. But the NHS is facing an uphill battle in keeping patient data safe against a backdrop of more persistent and diverse threats which increasingly target applications, bypassing traditional security. It needs to modernise its approach and focus on protection from the inside out; this means investing more than the 10% of IT budget on security that it currently sets aside.

“Its leaders are clearly saying two things – that the risk of data breach will have a significant negative impact on patients and the UK as a whole, and that they need more support, investment and skills in remaining secure. A huge part of this is introducing a ‘People, Process and Technology’ approach to security – ensuring that, as well as having the right technology in place, people receive the right training and education to help tackle the threat.”

David Houlding, director, healthcare privacy & security, Intel added: “Cybercriminals today are taking advantage of unpatched systems and unwitting employees with ransomware and phishing attacks, resulting in a record number of breaches worldwide. It is now more important than ever to comply with data protection laws and security standards, know the security posture of your organisation relative to the industry, and proactively remediate gaps to actively address security issues.”

Related reading