As if Covid-19 wasn’t challenging enough, the pandemic also brought a surge in cyber attacks on hospitals and health centres. As intensive care units (ICUs) struggled with high numbers of patients, Chief Information Officers (CIOs) played a critical role in keeping hospitals open.
“The last 18 months have been relentless,” says the head of cyber security at one NHS hospital. “You’d think that with the whole world facing the same struggle, hackers would have left us alone. But the opposite happened.”
The UK’s National Cyber Security Centre (NCSC), working in partnership with NHS Digital, responded to more than 200 major cyber-attacks related to Covid-19 in the first months of the pandemic. The health service was NCSC’s top priority; more than 1 million NHS IP addresses were supported, while “threat hunting” was performed on 1.4 million endpoints.
The threat level also increased in the US. The Healthcare Management and Information Systems Society reported that 70% of hospitals it surveyed experienced a significant security incident in 2020, including phishing and ransomware attacks that resulted in the disruption of IT operations and business functions, as well as data breaches and financial losses. Ransomware, botnets, remote code execution and distributed denial-of-service (DDoS) attacks were the most common incidents faced by healthcare organisations.
Integration priority
CIOs play a much broader role in healthcare than protecting an organisation against cybercrime. The confidentiality of patient records is paramount; patients and service users need to be absolutely confident that their data is secure before they fully participate in digital health systems.
As well as striving to ensure that the NHS remained operational at every level, retaining public confidence is also critical. Writing in Imperial College London’s 2020 report into NHS cybersecurity, Lord Darzi of Denham said: “The NHS holds large amounts of sensitive and valuable data in vulnerable systems. Effective cybersecurity is not just about protecting data, it is fundamental for maintaining the safety, privacy and trust of patients.”
Healthcare CIOs are also central to the drive towards greater integration between different systems. This is particularly evident in the new integrated care systems in England, which are committed to removing the traditional barriers to joined-up care. This requires creating compatible IT systems across GP practices, pharmacies, hospitals and social care providers. Increasingly, the CIO’s role is morphing into chief integration officer.
A major focus is ending the use of paper records and putting them online so they can be accessed by different parts of the health system. When Shauna McMahon became CIO of North Lincolnshire and Goole NHS Foundation Trust, one of her first innovations was the introduction of digital outpatient appointment letters. This has reduced the number of missed appointments, while allowing the trust to be more responsive to daily changes in demand. This means that more patients are seen and less time is wasted, helping to manage waiting lists.
But integrating IT systems also creates new risks. The NHS is made up of thousands of different entities, from GP practices and pharmacies to hospitals and distribution centres. In a typical day, about 1 million items are processed by the Electronic Prescription Service, an average of 68,000 appointment bookings are made via the NHS e-Referral Service and 35 million transactions are sent through the NHS Spine, the core infrastructure that allows secure communication across healthcare IT systems in England. In addition, it deals with tens of thousands of external suppliers, each with its own networks and vulnerabilities.
Unsecure secure network
Small wonder the NHS has been described as “the most unsecure secure network in the world”, with millions of endpoints, laptops and connected machines that are simply impossible to safeguard. As well as trying to ensure that all IT systems remain robust, the NHS has tens of thousands of physical locations to secure, while keeping tabs on a workforce of more than 1 million people.
During the pandemic, new systems were created at speed, such as Test and Trace, which added to the complexity. Test and Trace sought support from the UK cybersecurity company Risk Ledger to proactively manage supply chain risks. It used Risk Ledger’s secure “social network” platform, which enables organisations to connect and share risk data securely. Risk Ledger’s client base includes organisations like Bae Systems, City of London Police and Asos.
Haydn Brooks, CEO and co-founder of Risk Ledger, says “cybersecurity issues are broadly similar across all large organisations. It isn’t just about IT, but also about apps, premises and the supply chain. If someone can break into a building and hack into a computer, it can be just as serious as a cyber attack.”
What sets a health system like the NHS apart is the complexity of the organisation, Brooks says. In the NHS, cybersecurity risks are multiplied thousands of times over because it is a complex network of entities, he says.
“I think the NHS has a lot of good CIOs backed by expert teams who do a great job to make NHS systems as secure as possible. I’m sure they could do with more money and resources, but it is a question of balance between risk and cost, and the need to prioritise treatment and care.”
This is supported by research from CyberMDX and Philips, published in August, which showed that cybersecurity investment in hospitals remained a low priority in the US, because of the need to increase spending on frontline treatment and care. Just 11% of hospitals said cybersecurity was a high priority.
The digitisation agenda was turbocharged by the pandemic and will continue at pace. This requires more advanced digital products and platforms and more sophisticated use of data and analytics. But it also creates more opportunities for cyber attacks to exploit systemic vulnerabilities. Big challenges lie ahead for healthcare CIOs.