Avoiding another cyberattack will take human and technical solutions, say expertsBMJ 2017; 357 doi: https://doi.org/10.1136/bmj.j2464 (Published 19 May 2017) Cite this as: BMJ 2017;357:j2464
Protecting against a cyberattack of the sort that paralysed at least 47 NHS trusts on 12 May123 will not be simple, experts have warned. Vulnerability is likely to increase rather than diminish as more and more IT systems are linked and patients’ access to them is made easier.
Bryan Hurcombe, of the accountancy and consulting company Deloitte, told a Westminster Forum meeting in London on 18 May that the problem was both human and technical. “Many NHS organisations have legacy IT systems that were never designed with cyber-risks in mind,” he said. “It’s very hard to get rid of these systems—they’re engrained in the DNA of organisations. It’s not just a case of lifting and shifting them.
“Today they would be built to be ‘secure by design,’ but that’s very challenging to do. Hundreds of articles have appeared asking, ‘Why haven’t we done it?’ Trying to implement ‘secure by design’ principles is tough, and in the public sector we’ve really struggled to find the right talents to help us do that. People say we should all patch with the latest security updates, and of course we should, but I can give you 20 reasons why we don’t. It’s just not that easy to do, and it takes time.”
A big cyberattack was certain to happen again, Hurcombe said.
James Hatch, director of cyberservices at BAE Systems, said that the protections once offered by physical distance had evaporated. In the predigital age people protected their property by fences and alarms. If those failed, they called the police. Security in the wider world was left to governments and their intelligence and military services. “Digital technology has eliminated distance,” he said. “We can’t any longer rely on local solutions. We need a new understanding of how to do risk management.”
He added that organisations needed to make sure they were thick skinned and resilient: hard to penetrate and resistant to damage once penetrated. “It’s wrong that most attacks still start with an email, and it’s wrong that so many systems can be incapacitated by a virus once it has been activated.”
Good email security should do the job, he said, if everybody could be trained not to open attachments from senders they were unsure about. But that alone could not be relied on, and technical solutions were also needed. Making access harder by multiplying the number of passwords needed was counterproductive, Hurcombe said, as users get so fed up with passwords that they develop workarounds.
“I was talking to a trust the other day, in the emergency department. Its primary function is to save lives, not to put in six different passwords in six different computers to try to get online. So, what do they do? We all have this dilemma of usability and security. They leave the computer open, so they can get access to it at a moment’s notice.”
A questioner said that existing systems in the NHS were “silo based” but were increasingly being opened up by the use of patient portals, creating a new risk that was yet to be fully considered. Would it be more secure for the data to be stored in cloud systems rather than by trying to make existing legacy systems better?
Hurcombe said that cloud based systems could be imagined but the truth was that the solution was likely to be a hybrid. “We’re not going to rip out the legacy systems, for good reasons,” he said. “MRI scanners, for example, are nearly all Windows XP based, and we have to get the images to doctors who may be in different hospitals.”
Among useful steps that should be taken, speakers suggested, were better training, “clustering” of organisations so that smaller ones could benefit from the experience of large ones with bigger IT departments (an idea favoured by the Cabinet Office), and a much greater willingness to share the experience of IT breaches when they happened. Ben Lindgren, head of security delivery at Faster Payments, a banking system, said that automating the updating of systems could help.
“Historically, IT departments have been loath to turn on automatic updating for fear that it may actually cause a problem,” he said. “It’s all too easy to forget to patch a machine, and then suddenly you’re hit. If you have automatic updating turned on, the chances are it won’t affect your machine.”