Whilst GPs have relatively well proven and secure IT systems, with a limited number now offering a high standard service, Hospital systems are multiple and disconnected. They are different to GP systems in that they do not collect all the social data, family history and accumulated evidence of years of family general practitioners. My own practice computerised fully in 1988. Hospital records are still kept on paper in out patients in our local DGH. It is worrying to think of the potential for mistakes in disconnected systems, and Chris Smyth in the Times alerts us on April 18th 2018: Every hospital tested for cybersecurity has failed
Is the potential risk from poor systems greater than the gain to the patient? I have never been asked if I give permission for my hospital notes to be on computer. Patients in GP do have a right to exclude their notes from being shared. Do you have a right to forbid your notes to be filed electronically? We don’t know.. Surely it’s time for my notes to be on a “card”, which when I pass to the doctor, is giving permission for access?
All 200 hospitals and other NHS organisations that have been tested so far have failed cybersecurity checks, according to a report by MPs.
Some hospitals have not fixed the original vulnerability that led to last year’s cyberattack and NHS chiefs are not working fast enough to protect the health service, even though a repeat is a matter of “when, not if”, the public accounts committee (PAC) says.
Despite promises that lessons had been learnt from the WannaCry ransomware attack nearly a year ago that crippled a third of NHS hospitals, a report released today finds there is still “a lot of work to do” to avoid more disruption when they are targeted again.
Yesterday spy masters in Britain and the US issued an unprecedented warning that tens of thousands of devices had been targeted by Russian hackers preparing for an attack on British infrastructure. Security chiefs are braced for cyberattacks on vital services, including the NHS, as relations with Moscow deteriorate over the nerve agent poisonings in Salisbury and a suspected chemical weapons attack by the Russian-backed Syrian regime.
Ministers accept that “cyberattacks are now a fact of life and that the NHS will never be completely safe from them”, the PAC reports.
Although almost 20,000 hospital appointments and operations had to be cancelled during last year’s attack, today’s report says that the NHS was “lucky” and if it had not happened on a Friday afternoon in May, and the virus had not been quickly disabled, the effect would have been far worse.
Meg Hillier, chairwoman of the PAC, said: “Government must waste no time in preparing for future cyberattacks — something it admits are now a fact of life. It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learnt are still to be agreed.”
All 200 trusts tested on cybersecurity by NHS Digital have failed, the MPs said. “We are told that this was because a high bar had been set for NHS providers to meet the required standard but some of the trusts had failed the assessment purely because they had still not patched their systems — the main reason the NHS had been vulnerable to WannaCry,” they added.
“I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment,” Ms Hillier added.
Today’s report details how staff had to resort to using WhatsApp to communicate because they had shut down emails as a precaution, while some hospitals called the police because they did not know who to speak to in the NHS.
Matt Hancock, the secretary of state for digital, culture, media and sport, said on BBC Radio 4’s Today programme this morning: “There’s clearly much more that needs to be done. The NHS has made improvements since the WannaCry attack last year, but one of the challenges in cyber security is that the criminals and the malicious actors who are trying to harm our cyber security are moving fast, and you have to run to stay still. You can’t just make one update, you’ve got to constantly be updating.”
Lord O’Shaughnessy, the health minister, said last night: “We have supported [cybersecurity] work by investing over £60 million to address key weaknesses and plan to spend a further £150 million over the next two years.”