HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NHS to Hire Hackers to Probe for Security Vulnerabilities and Prevent Future Cyberattacks

In May this year, the hackers behind WannaCry ransomware exploited vulnerabilities in the UK’s National Health Service (NHS) systems and installed their malicious payload, causing considerable disruption to services at several NHS Trusts.

More than 50 NHS Trusts were affected by the WannaCry ransomware attacks, resulting in appointments being cancelled and operations being postponed. There was widespread disruption while the malware attack was mitigated. Had the kill switch not been found and flipped, the fallout would have been far worse.

600 GP surgeries were impacted by the attacks, five hospitals were forced to divert ambulances to other hospitals, and more than 19,500 appointments were cancelled as a result of the WannaCry. The attacks affected 1% of all devices and diagnostic equipment used by the NHS.

The WannaCry ransomware attacks prompted the government to launch an independent investigation into the state of cybersecurity at the NHS. Last month, the National Audit Office (NAO) released its report which confirmed the extent of disruption and the poor state of cybersecurity.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The post-mortem after the attack revealed outdated and unsupported operating systems were still in use in many NHS trusts, and basic security measures to prevent attacks had not been implemented. According to the report, multiple warnings had been issued about the risk of cybercriminals exploiting vulnerabilities, but it took the WannaCry attack before action was taken.

Amyas Morse, Chief of the NAO, said the WannaCry attacks were “relatively unsophisticated”, and that the attacks could have easily been prevented with basic cybersecurity measures. Morse issued a warning, saying, “The Department [of Health] and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

There is currently a funding crisis at the NHS, although even so, the importance of improving cybersecurity defenses has seen £20 million set aside to fund a cybersecurity unit to improve digital defenses. Part of that fund will pay for ethical hackers who will conduct penetration tests to find exploitable vulnerabilities before they are found and exploited by cybercriminals. This proactive approach to cybersecurity should allow future cyberattacks to be prevented, ensuring security weaknesses are found and addressed rapidly.

The initial pen testing will be conducted on NHS Digital’s systems to ensure its cybersecurity defences are sufficiently robust, before the team of ethical hackers turn their attention to NHS Trusts and hospitals.

NHS Digital, which has tendered for the contract, also plans to create a national cybersecurity monitoring and alerting service covering the entire health system in the UK. The new system will provide near real-time alerts on the latest threats, allowing rapid action to be taken by hospitals and Trusts to secure systems when new vulnerabilities and threats are identified.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.