The content of this website is intended for healthcare professionals only

NHS cyber-attack was ‘inevitable’ given poor investment

Expert report blames NHS cyber-attack on failure to keep up with security best practice

Louise Prime

Thursday, 29 June 2017

The damage caused by the recent cyber-attack on the NHS “was an inevitability” given the health service’s failure to update its cyber-security and its lack of investment and training, according to IT experts. In a report,* published this morning, they urged NHS Boards to make sure they understand their responsibilities, and how to make use of registered cyber security experts – and they added that there must be an increase in the number of properly qualified and registered IT professionals.

The Chartered Institute for IT has investigated the WannaCry malware attack on NHS systems last month, and found that the healthcare sector has struggled to keep pace with cyber-security best practice and with a systemic lack of investment – and that these factors were to blame for the damage that the ransomware attack caused.

The Institute suggested that some hospital IT teams lacked access to trained, registered and accountable cyber-security professionals with the power to assure hospital Boards that computer systems were fit for purpose – although it concluded they were “doing the best with the limited resources available”.

The Chartered Institute of IT is now collaborating with the Patient’s Association, the Royal College of Nursing and Microsoft to produce a series of recommended steps that NHS trusts should take to “avoid another crippling cyber-attack”.

The first of these is to ensure that there are clearly laid out standards for accrediting relevant IT professionals. They are also urging NHS boards to ensure they understand their responsibilities, and how to make use of registered cyber security experts. And, they add, the number of properly qualified and registered IT professionals needs to be increased.

The Institute’s director of community & policy David Evans said: “Patients should be able to trust that hospital computer systems are as solid as the first-class doctors and nurses that make our NHS the envy of the world.

“Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the WannaCry ransomware virus was an inevitability, but with the roadmap we are releasing today, will make it less likely that such an attack will have the same impact in the future.”

* Blueprint for cyber security in health and care. Chartered Institute for IT, June 2017.

Registered in England and Wales. Reg No. 2530185. c/o Wilmington plc, 5th Floor, 10 Whitechapel High Street, London E1 8QS. Reg No. 30158470