Urgent: Investment In NHS Cybersecurity

A "massive" increase in spending is needed to prevent another "avoidable" cyber-attack on UK’s NHS computer systems, an expert has warned, following a ransomware attack hit 11 health boards in Scotland (pictured), as well as many other organisations worldwide.

Prof Bill Buchanan said the attack should act as a "wake-up call" to the government and health service. And he warned the NHS faced bigger threats, such as a large-scale power outage, that could cause loss of life.

Holyrood's health committee heard the WannaCry virus found its way into Scottish NHS systems either through their connection with the NHS England network or through the Internet.

It was able to spread through computers that were vulnerable through a combination of their use of a particular piece of software that shares information between devices, a particular network firewall configuration and the fact they had not been upgraded or "patched up" to the latest version of Microsoft software.

The unprecedented attack, which hit scores of countries, impacted on acute hospital sites in Lanarkshire as well as GP surgeries, dental practices and other primary care centres around Scotland. Health Secretary Shona Robison told the committee that swift action and co-ordination by the NHS in Scotland had limited the impact of the ransomware attack on its network.

But Prof Buchanan, from the Cyber Academy at Edinburgh Napier University, said the penetration of the virus "was avoidable" and there was no excuse for the patch or upgrade not having been carried out. He agreed with Green MSP Alison Johnstone that the incident should act as a "wake-up call" and called for a review of health and social care IT infrastructure.
He said: "This was a critical patch, critical is the highest level. If you want to use something from Spinal Tap, this was an 11 out of 10 in terms of its threat.
"So it should have been patched, it was well known and it was a race for the industry to catch up with the patch before those with the skills to make something malicious turned their evil hands to something.
"I think we got out of this very well but it could happen that it would be much more severe."
He added: "Our systems are legacy and we need to admit that.
"I think we need a massive increase in spending not just on computers, but in really looking at healthcare services and how we provide that to the citizen."

Andy Robertson, director of IT at NHS National Services Scotland, said the health service had measures in place to protect against these types of threats.

He pointed out that the virus had infiltrated only 1% of NHS Scotland's computers, amounting to some 1,500 devices.
"We think our defences worked fairly well in terms of the impact it had on the health service and we think where we were breached we were able to recover as per our recovery plans," he said.
He agreed that extra investment was needed, suggesting a further £15m a year on top of the £100m currently spent on centrally-managed IT programmes in the NHS.

That amount was described as a "sticking plaster" by Prof Buchanan, who said: "I think you need to add zero and then maybe another zero."

BBC

You Might Also Read:

NHS Cyberattack Was 'launched from N. Korea':

Healthcare Sector Accounts For 43% Of UK Data Breaches:

How Cybercrime Affects The Healthcare Industry:

 

 

« Petya Cyber Attack Update
App Or Browser: Which Is Safer For Online Banking? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CFC Underwriting

CFC Underwriting

CFC is a specialist insurance provider and a pioneer in emerging risk, including cyber insurance.

The Security Awareness Company (SAC)

The Security Awareness Company (SAC)

The Security Awareness Company provides cyber security awareness training programs for companies of all sizes.

Cybersecurity Association of Maryland (CAMI)

Cybersecurity Association of Maryland (CAMI)

CAMI’s mission is to create a global cybersecurity marketplace in Maryland and generate thousands of high-pay jobs through the cybersecurity industry.

Featurespace

Featurespace

Featurespace is a world-leader in Adaptive Behavioural Analytics and creator of the ARIC platform for fraud and risk management.

Beosin

Beosin

Beosin is a blockchain security company providing cybersecurity services including security audits, on-chain asset investigation, threat intelligence and wallet security.

Grayshift

Grayshift

Grayshift is the leading provider of mobile device digital forensics, specializing in lawful access and extraction.

WhiteHawk

WhiteHawk

WhiteHawk is the first online Cyber Security Exchange. We help you understand your cyber risk and match you to tailored and affordable solutions.

Ridge Canada Cyber Solutions

Ridge Canada Cyber Solutions

Ridge Canada helps insurance brokers and insurance buyers understand, evaluate, and secure cyber coverage that is tailored to their business.

Truly Secure

Truly Secure

Truly Secure is an IT Service Provider that ensures greater efficiency and security within a company's technological environment.

CampusGuard

CampusGuard

CampusGuard focuses on the cybersecurity and compliance needs of campus-based organizations including higher education, healthcare, and state and local government.

RightCue Assurance

RightCue Assurance

RightCue Assurance identify opportunities for improvement in the Information Security for your organisation and work with you to reduce cyber risk.

Twilio

Twilio

Twilio are the customer layer for the internet, powering the most engaging interactions companies build for their customers. We provide simple tools that solve hard problems.

LT Harper

LT Harper

LT Harper specialise in cyber security recruitment. We believe in providing an individualised service to our customers whether they are looking for a new opportunity or to hire talent.

Dynamic Standards International (DSI)

Dynamic Standards International (DSI)

Dynamic Standards International is a global standards development organization which develops certifiable ‘dynamic standards’ that pace with fast-evolving landscapes.

Blind Insight

Blind Insight

Field-level searchable encryption plus fine-grained programmable access controls. All wrapped neatly in developer-friendly APIs and SDKs. Data protection perfection.

Soteria Cybersecurity

Soteria Cybersecurity

Soteria is your trusted Cybersecurity Partner in IT and OT.