image source, Blavatsky School of Government
- Author, Guy Lynn and Stephen Menon
- Role, BBC Investigations, London
- Twitter,
A leading cyber security expert has warned that the NHS remains vulnerable to further cyber attacks if it does not update its computer systems.
The stark assessment comes in the wake of a major ransomware attack that has severely disrupted health services across London.
Professor Ciaran Martin, founding director general of the UK’s National Cyber ​​Security Center (NCSC), told the BBC: “I was horrified but not entirely surprised. Ransomware attacks on healthcare are a major global problem.”
NHS England said it is increasing its cyber security resilience and has invested £338m in tackling the problem over the past seven years.
But Professor Martin’s warnings suggest more urgent action may be needed.
A recent report by the British Medical Association highlighted the NHS’s aging IT infrastructure, revealing that doctors waste 13.5 million hours a year due to outdated systems – the equivalent of 8,000 full-time medics.
The June 3 cyber attack, which Professor Martin described as one of the most serious in British history, targeted Synnovis, a pathology testing organisation, and severely affected services including Guy’s, St Thomas’, King’s College and Evelina London Children’s Hospitals.
NHS England declared it a regional incident, resulting in 4,913 emergency outpatient appointments and 1,391 postponed operations and major data security concerns.
The Qilin hacking group, based in Russia and believed to be part of the Kremlin-backed cyber army, demanded a ransom of £40m. When the NHS refused to pay, the group published the stolen data on the dark web.
The incident reflects a growing trend of Russian cybercriminals targeting global healthcare systems.
Now an Oxford University professor has highlighted three critical issues facing NHS cyber security: outdated IT systems, the need to identify vulnerabilities and the importance of basic security practices.
He warned: “It is quite clear in parts of the NHS estate that some IT is out of date.”
He emphasized the importance of identifying “single points of failure” in the system and implementing better backups.
Professor Martin also emphasized that improving basic security measures could significantly deter attackers, saying: “These little things make it quite difficult for criminals to get in.”
He emphasized the seriousness of the recent attack, concluding: “It was clear that this was going to be one of the most serious cyber incidents in UK history due to the disruption of healthcare.”
“Cybersecurity is expensive”
Some frontline workers, who spoke anonymously, are very concerned about the outdated equipment they use after the recent cyber attacks.
The head of intensive care in London warned: “The NHS is vulnerable.
“It’s a patient safety issue, but there’s no interest in addressing it. People either don’t know about it or don’t want to hear about it.”
An A&E consultant in north London told us they were working with “decades-old computers and Windows 7” and that their systems crashed “every few months”, while a junior doctor highlighted the risks of outdated equipment and privatisation.
“Old computers pose a security risk to patient data. The Synnovis incident shows how vulnerable we are,” the doctor said.
A senior orthopedic surgeon described the fragmented nature of NHS IT: “There is no single system. An X-ray of a patient in one hospital is not available in another.
“It’s shocking and troubling for cyber security.”
Another junior doctor added: “The NHS is not doing enough.
“Cybersecurity is expensive and our funding has been cut for more than a decade.
“It’s incredibly frustrating.
Dr Daniel Gardham of the Surrey Center for Cyber ​​Security echoed Professor Martin’s concerns about outdated systems and their potential link to cyber attacks.
“If you have old computers, then simply put, there will be unpatched vulnerabilities,” he said.
“That means there are avenues for attackers.
Dr. Gardham stressed that while there have been sophisticated attacks, many breaches are the result of basic security oversights.
“It could be something really, really, simple, and in fact, it most likely is something very, very, simple.
“Maybe it would be one person who had a weak password or left their computer unattended in a coffee shop.
“Many cyber security attacks are not sophisticated.”
An NHS England spokesman told the BBC: “We are increasing cyber resilience across the NHS and more than £338m has been invested over the past seven years to help keep health and care organizations as secure as possible.
“Our ambitious cyber improvement program will support the NHS to respond to changing cyber threats, enhance protection and reduce the risk of a successful attack.”