NHS and digital health firms must improve cybersecurity

The NHS and digital health companies must learn from other industries to secure devices and systems against cyber attacks, according to a new report.

The Royal Academy of Engineering’s report, “Cyber Safety and Resilience” says connected health devices could transform care in hospitals and patients’ homes.

But there are many cybersecurity risks, ranging from ransomware attacks that disrupt care delivery, and data breaches caused by malicious or accidental action that risk privacy and integrity of patient data.

Rapid growth in consumer, wearable, and mobile technology used in healthcare is increasing these risks but there is a lack of awareness of how to manage them.

According to the report, other sectors are more advanced in terms of awareness, governance and security resource.

In a special focus on the health sector, the report authors said the NHS has little knowledge of the current security risks and potential impacts on connected health devices.

“There is a need to start measuring the problem before solutions can be identified,” authors said.

More work needs to be done in regulation, as European rules do consider the full impact of poor cybersecurity on patient safety or privacy, according to the report.

There is a lack of consistency in different countries – for instance authors found that in the US, there is an explicit focus on cybersecurity but not on telecoms standards and privacy, with implications for telehealth and telecare services.

In a series of recommendations, the report said that the NHS could learn from best practice case studies from professional engineering institutions, which could be applied to digital systems across the country.

It also called for the UK's regulator, the Medicines and Healthcare Products Regulatory Agency (MHRA) to ensure its work includes cyber safety and resilience as a matter of course.

Last year, the cyber security risks facing the NHS became apparent when many hospitals fell victim to the “WannaCry” virus, which caused cancelled operations, ambulances being diverted, and patient records to become unavailable in England and Scotland.

Hospitals in the US have also been disrupted by viruses – a recent example was the ransomware known as “SamSam”, which has attacked public and private institutions in the US over recent months.

Hancock Regional Hospital in Indiana reportedly paid a $45,000 ransom in bitcoins to recover its data after the virus locked its computers.