NHS Digital has pledged to foster a cyber security-oriented culture in healthcare as hospitals come under increasing attacks from cyber criminals.
Rob Shaw, chief operating officer at NHS Digital’s Data Security Centre, told the Cyber Security in Healthcare conference in London that it would work closely with the National Cyber Security Centre when it begins operations on October 1.
“We need a better culture [around cyber security] because it cannot just be something that is added on at the end,” he said.
Shaw said maintaining patient care while remaining vigilant against such attacks was a challenge that could be met through making cyber security inherent to everything the healthcare sector does.
He added: “Although the amount of malicious traffic on the national NHS network is around the same level of other sectors, at 0.3 per cent, security and integrity of data in healthcare is absolutely critical….
“Don’t fall into the trap of thinking cyber security does not affect patient care because it does, and don’t entrust the security of the many to the few because everyone needs to be involved.”
Cyber criminality is increasing across the board, in particular ransomware attacks where malware is used to encrypt valuable digital files on a computer or device – and potentially other computers on the same network – before its authors demand a ransom for their release.
Shaw cited a recent phishing attack, where someone working in healthcare was tricked into opening an email that appeared to be from a contact about a subject of common interest.
“When he clicked on the email it appeared to fail to open, but he had compromised his machine and it took two weeks before the compromise was detected,” he said.
“There are many threats and sometimes things do get through, which means the way organisations respond when they are breached is important.”
The NHS’ computer emergency response team, CareCert, is to be used as a “front door” to support from the National Cyber Security Centre.
“CareCert is making a difference. In a recent ransomware attack, CareCert’s incident response team was able to contain, monitor and eradicate the malware before it could take hold,” said Shaw.
“We will be working with the NCSC to provide access to specialists, access help on how to handle security incidents, and share information with and from other organisations.”
Another concern is Windows XP: Microsoft is no longer updating the security on that operating system and its vulnerabilities are well known.
NHS Digital said 15 per cent of Windows installations in the healthcare sector are on XP.
“In addition to the costs involved, there is also the problem of migrating legacy applications that run on hardware that will not support more modern operating systems, which adds to the cost of hardware upgrades,” he said.