Cybersecurity: cracks in the system

Synnovis, a partnership organisation providing pathology services to NHS trusts in south-east London, became the victim of a ransomware cyberattack launched by an overseas criminal enterprise in June this year.

Responsible for processing blood tests for five foundation trusts, the attack on Synnovis’ IT systems saw the theft of patient data, including names, NHS numbers and test codes, and rendered medical records inaccessible, leaving hospitals unable to crossmatch patients’ blood types.

The cascading chaos saw hospitals declare critical incidents and resident doctors, who at that time were still engaged in industrial action around pay restoration, step-off of picket lines to manage the fallout.

Such was the scale and severity of the incident that it took more than three months for normal services to be largely restored, with NHS England confirming the disruption during this time period saw 10,152 acute outpatient appointments and 1,710 elective procedures having to be postponed.

With trusts unable to verify patients’ blood types safely, the attack also necessitated desperate appeals for O-negative blood, which in turn contributed to a national shortage – an occurrence arguably without precedent in the history of cyberattacks on health services.

‘I think health systems globally are much further behind other critical sectors in terms of shoring up cyber services, very much so if you compare it to industries like FinTech, transport and energy,’ warns Saira Ghafur consultant in respiratory medicine and digital health lead at Imperial College.

‘The Synnovis attack saw a third-party supplier of pathology services, a small piece of the NHS in London, targeted but I think it’s probably one of the biggest cyberattacks to hit the NHS in the UK because of the amount of disruption.

‘We have no idea really what the impact has been, the cost of all the tests that were cancelled or delayed, the economic costs or the cost to patient outcomes.’

Indeed, as serious as the Synnovis attack was, it is far from unique when it comes to the recent history of cybersecurity and the NHS.

In 2017, the health service was one of many victims targeted by the global WannaCry ransomware attack, which saw the theft and encryption of data and which ultimately cost the NHS £92m in lost output and IT support.

Meanwhile, this year alone has seen multiple cybersecurity breaches involving staff or patient data, not including the attack on Synnovis, with incidents reported by the NHS Dumfries and Galloway health board and the Norfolk and Norwich University Hospitals NHS foundation trust.

‘We know cyberattacks on the NHS, and on all critical national infrastructure, are increasing year on year,’ warns emergency medicine doctor and researcher in AI and cybersecurity in healthcare Isabel Straw.

‘We’re seeing this in the finance sector and kind of other areas, but we know healthcare as well is becoming increasingly targeted.’

Dr Straw is based at UCSD (University of California San Diego) centre for healthcare cyber security, with her work giving explicit focus to the threats posed by ransomware to health services.

She says that there are several factors which make healthcare systems worldwide a vulnerable target, such as the reliance on digital services provided by third parties and the challenges around implementing system updates.

In addition to these, Dr Straw adds there are issues more specific to the NHS connected to long-running underfunding of IT infrastructure, which has led to healthcare staff relying on outdated or inadequate technology.

‘Healthcare [in particular] relies on this huge landscape of interacting vendors and servers, different technologies,’ explains Dr Straw.

‘When a cyberattack hits, even if it might not have initially been targeting healthcare, healthcare services can end up being taken down as a result. Additionally, the lack of IT investment in the NHS creates specific vulnerabilities, as we’re using very old IT systems.

‘There’s also the global issue in healthcare in that it’s very difficult to update systems because [in healthcare] you can’t just turn something off.

‘If the emergency department relies on a particular IT system, and you need to do a software patch to update it, you can't just turn off the [emergency] department [so] every time you want to make that kind of update and improvement, you have to weigh it up against the clinical impact and patient care.’

As well as being hamstrung by its patchwork of increasingly archaic IT systems, the NHS is made further vulnerable to cyber-based attacks as an indirect consequence of the enormous day-to-day pressures facing health service staff.

With doctors and other healthcare professionals focused on caring for patients in a woefully under-staffed and under-resourced NHS, and amid an unprecedented backlog of unmet care, this high-pressure, time-poor working environment is often not conducive to good cyber-hygiene practices such as the use of multifactor authentication.

‘We know there are lots of technological issues in the NHS that present risks such as outdated technologies and legacy systems but the other vulnerability is human behaviour ... but a lot of that is related to the conditions staff are working under,’ says Dr Straw.

‘With all the pressures that exists in the NHS in terms of staffing and volume of patients, cyber hygiene is the last thing on your mind. That might mean that you share logins or you leave computers logged in, as you don’t have that capacity to be doing things that are really secure.

‘With something like MFA [multi-factor authentication] there’s a challenge of how you balance these security practices with the capacity that doctors, who are already working under such intense pressures, have.

‘This is made harder especially when we don’t have much of a conversation about cyber security and medicine and when there is not a direct connection in people’s heads to how is this going to impact patient care.’

The human cost of a cyberattack on healthcare to doctors and patients is something consultant psychiatrist Andrew Molodynski unfortunately knows only too well.

Dr Molodynski’s workplace, Oxford Health NHS Foundation Trust, was one of a dozen trusts affected by a ransomware attack in August 2022.

The incident saw CareNotes, a patient-records system supplied to the NHS by software provider Advanced, compromised and doctors and other healthcare staff unable to access vital clinical information.

More than two years on, Dr Molodynski can still recall the chaos and confusion generated by the incident which, like this year’s attack on Synnovis, took months to rectify fully.

‘Initially we all just heard basically that the system was down but without knowing why or for how long,’ he says.

‘It then became apparent over the next few days that there was a fairly major problem.’

With he and his colleagues suddenly finding themselves unable to access patients’ records, Dr Molodynski said they were forced to resort to creating temporary records by collating any existing data with records requested from GP practices.

‘Our admin team were amazing and put in a huge shift creating temporary folders just using Word documents for all our patients and putting into those folders whatever they could because by then, it was becoming obvious that no one knew how long [the situation] was going to go on for,’ he says.

‘It was a bit like going back in time to pre-electronic records and when people were being seen in [emergency departments] as an emergency when staff wouldn’t have had their notes.

‘There was obviously a gap there for some of the very acute stuff, which we felt created an increased risk and made looking after people more difficult.’

Dr Molodynski says his experience of trying to care for patients while having no access to records, has been difficult at times and unsettling.

He adds that, while he was not aware of the cyberattack which affected his trust having led directly to serious negative consequences for his patients, the incident overall would have undoubtedly resulted in ‘situations where the outcome was not as good as it could have been’.

‘When you’re seeing a patient, you want to be absolutely certain what treatment they’re on, because usually you’re thinking of making changes to that treatment,’ he says.

‘If you don’t know exactly what someone’s taking, it’s hard to make changes, and we don’t do it from memory for a very good reason, because it’s not very safe.’

As well as the disruption to day-to-day services that attacks on IT and other electronic systems can have, the theft of sensitive personal information as seen in ransomware attacks, also presents data-protection risks.

Nineteen days after the attack on its systems on 3 June, Synnovis confirmed some patient data stolen during the attack had subsequently been published online.

Dr Molodynski said the prospect of patient data being leaked as the result of a cyberattack posed serious concerns and threatened to undermine patient confidence in health services and the doctor/patient relationship.

‘Patients come and see psychiatrists, they tell us the most personal and most difficult things about their lives,’ he says.

‘They do that with trust and with an expectation of privacy and that’s the only way it can work. If that were to be blown apart by repeated incidents like this, it would be a big thing and pretty scary.’

On 7 August this year the Information Commissioner’s Office imposed a provisional fine of £6m on Advanced Ltd on the grounds that the provider had ‘failed to implement measures to protect the personal information of 82,946 people’ during the attack.

Despite the apparent vulnerabilities when it comes to cybersecurity, the NHS is poised to embrace more deeply digitisation, through the rise of AI in healthcare and new plans to give patients full access to their medical records via the NHS app.

Dr Ghafur said, that while she welcomed the principle of democratised healthcare through greater sharing of data with patients, she believed there was a danger of rushing ahead with changes without ensuring these were secure.

‘I think it’s a great idea to open up patient records to patients – at the end of the day it’s their data – but I don’t think the security challenges have been fully considered,’ she says.

‘At the end of the day we’re data controllers in the NHS, any kind of healthcare professional has that duty of care to make sure that you are, whether it's paper records or digitised health records, to do your utmost to protect that patient data.

‘There is a huge element of trust that takes years to build up and just a second to wipe out.’

The growing cyber-security threat posed by bad actors, state and criminal, to institutions including the NHS, is being increasingly recognised, with NHS England beefing up its approach to security in September this year by adopting the National Cyber Security Centre’s CAF (cyber assessment framework).

Meanwhile, the Government is pressing ahead with its Cyber Security and Resilience Bill, proposed legislation which will bring the UK’s cybersecurity laws in line with those which exist in the EU, and which will expand regulation to digital services and supply chains and mandate the reporting of cyberattacks.

Dr Straw welcomes the bill and adoption of the CAF and believes one area which remains underdeveloped is that of doctors and healthcare professionals being part of the conversation and contingency planning for cyber incidents.

As part of her work at UCSD, she and her colleagues are also seeking to develop the first ever set of clinical guidelines to assist doctors in responding to cyberattacks on their workplaces – guidance she hopes will ultimately be adopted on both sides of the Atlantic.

Alongside her work at UCSD, Dr Straw runs non-profit organisation ‘Bleep Digital’, which aims to educate healthcare professionals around the risks of cyberattacks to health services and how to respond to such attacks when they occur.

‘The more dependent you are on digital systems, the more vulnerable you will be to digital attacks and one thing that is really lacking at the moment, is orienting our response plans in terms of the clinical impact,’ she says.

‘There are specific medical conditions that we know are more likely to be impacted by ransomware attacks, such as strokes and other time critical conditions.

‘These guidelines are clinically orientated for doctors to read, as opposed to for the IT team. I haven’t seen [them] in the UK or a lot of Europe at all, it’s definitely something we want to integrate and bring to hospitals so there is an immediate response plan when those things occur.

‘If you’re going to connect something to the internet or to a network, that connection has to be secure,’ Dr Straw warns.

‘At the moment, we’re connecting everything before we’re securing everything, and as a result creating this wild west where we’re playing catch up on the cybersecurity front.’