Rise of AI, cloud computing and connected devices increasing risk of attack, report warns

Out-dated computer systems, a lack of investment, and a deficit of skills and awareness is putting NHS hospitals at risk of cyber attacks, researchers have warned.

A report by Imperial College London’s Institute of Global Health Innovation said more money needs to be pumped into IT security to avoid crippling cyber threats in the aftermath of 2017’s WannaCry attack, which disrupted 80 trusts across England alone because they were either infected by the ransomware or had turned off their devices or systems as a precaution.

The health service was forced to cancel almost 20,000 hospital appointments and operations as a result of WannaCry, while five A&E departments had to divert patients to other units.

With innovations in artificial intelligence, cloud computing and connected devices expected to progress in healthcare, the risk of cyber disruption will also significantly increase unless appropriate actions are taken, the report cautions.

“We are in the midst of a technological revolution that is transforming the way we deliver and receive care,” said Lord Darzi, co-director of the Institute of Global Health Innovation, who will present the White Paper on NHS Cyber Security to the House of Lords today.

“But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel.

“For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS – and therefore our nation’s health – are secure.

“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyberattacks.”

All systems must be secure by design, not as an afterthought, researchers suggest, to prevent life-saving medical equipment and patient data falling into the hands of hackers.

The paper also says that security culture needs to be promoted as a patient safety concern, not just as an IT concern, by improving staff training and awareness.

“Since the WannaCry attack in 2017, awareness of cyberattack risk has significantly increased,” said Dr Saira Ghafur, lead author of the report.

“However, we still need further initiatives and awareness, and improved cyber security ‘hygiene’ to counteract the clear and present danger these incidents represent.

“The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.”

Last year, the health service announced plans to spend £150 million on cyber security over the next three years.

In February, a new joint unit known as NHSX was revealed to work on the health service’s digital transformation.