Image source, Blavatnik School of Government
- Author, Guy Lynn and Stephen Menon
- Role, BBC Investigations, London
- tweeting,
A leading cyber security expert has warned that the NHS remains vulnerable to further cyber attacks unless the organisation updates its computer systems.
This shocking finding follows a major ransomware attack that has severely disrupted healthcare services across London.
Prof Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre (NCSC), told the BBC: “I was shocked, but not entirely surprised. Ransomware attacks on healthcare are a major global problem.”
NHS England said it wanted to increase cybersecurity resilience and had invested £338 million over the past seven years to address the issue.
But Prof. Martin’s warnings suggest that more urgent action may be needed.
A recent report from the British Medical Association found that the NHS’s IT infrastructure is outdated, with doctors wasting 13.5 million hours a year on outdated systems – the equivalent of 8,000 full-time doctors’ time.
The June 3 cyberattack, described by Prof Martin as one of the most serious in British history, targeted Synnovis, a pathology testing organisation, and had serious implications for services including Guy’s, St Thomas’, King’s College and Evelina London Children’s Hospitals.
NHS England declared the incident regional, resulting in 4,913 postponed outpatient appointments and 1,391 postponed operations, and raised significant concerns about data security.
Russian hacking group Qilin, believed to be part of a Kremlin-backed cyber army, demanded a £40 million ransom. When the NHS refused to pay, the group published stolen data on the dark web.
This incident reflects the growing trend of Russian cybercriminals targeting global healthcare systems.
Prof Martin, now a professor at the University of Oxford, highlighted three critical issues facing NHS cybersecurity: legacy IT systems, the need to identify vulnerabilities and the importance of basic security practices.
He warned: “It is clear that some IT systems within the NHS are outdated.”
He stressed the importance of identifying the single points of failure in the system and implementing better backups.
Prof. Martin also stressed that improving basic security measures can significantly hinder attackers. He said: “Those little things make it much harder for criminals to get in.”
He stressed the seriousness of the recent attack, concluding: “It was clear that this would be one of the most serious cyber incidents in UK history because of the disruption to the healthcare system.”
‘Cybersecurity is expensive’
Some frontline workers who spoke anonymously are deeply concerned about recent cyberattacks, citing the outdated equipment they use.
A senior intensive care doctor in London warned: “The NHS is vulnerable.
“It’s a patient safety issue, but there’s no interest in addressing it. People either don’t know about it or don’t want to hear about it.”
An ER consultant in North London told us they were working with “ten-year-old computers and Windows 7” and their systems crashed “every few months”, while a junior doctor highlighted the risks of outdated equipment and privatisation.
“Old computers pose a security risk to patient data. The Synnovis incident shows how vulnerable we are,” the doctor said.
A senior orthopaedic surgeon described the fragmented nature of NHS IT: “There is no uniform system. A patient’s X-ray in one hospital is not accessible in another.
“It is shocking and worrying for cybersecurity.”
Another junior doctor added: “The NHS is not doing enough.
“Cybersecurity is expensive and our funding has been cut for over a decade.
“It’s incredibly frustrating.”
Dr Daniel Gardham from the Surrey Centre for Cyber Security echoed Prof Martin’s concerns about legacy systems and the potential link these systems pose to cyber attacks.
“If you have old computers, there are simply vulnerabilities that have not been patched,” he said.
“This means there are ways for attackers to get in.”
Dr Gardham stressed that while sophisticated attacks are occurring, many breaches are the result of basic security flaws.
“It could be something very, very simple and it probably is something very, very simple.
“For example, it could involve one person who had a weak password or left his computer unattended in a cafe.
“Many cyber attacks are not sophisticated.”
An NHS England spokesperson told the BBC: “We are increasing cyber resilience across the NHS and over the past seven years more than £338 million has been invested to keep health and care homes as secure as possible.
“Our ambitious Cyber Improvement Programme is supporting the NHS in responding to evolving cyber threats, expanding protection and reducing the risk of a successful attack.”