BCS says NHS needs to invest more in cyber security

Institute points to lack of skills increasing impact of Wannacry attack, and publishes blueprint for future assurance

A lack of investment in cyber security measures increased the impact of the Wannacry virus on NHS IT systems last month, according to BCS – The Chartered Institute for IT.

Cyber network abstract, lines joining dotsIt said that, while doing the best with the limited resources available, some hospital IT teams lacked access to trained, registered and accountable cyber security professionals to ensure computer systems were fit for purpose.

Almost 50 NHS trusts were hit by the attack last month, with computers rendered unusable with demands that a ransom be paid. The problems lasted for six days in some trusts with operations and appointments being cancelled.

The warning comes as the BCS has published a Blueprint for Cyber Security in Health and Care.

According to David Evans, director of community and policy at BCS, the healthcare sector has struggled to keep pace with cyber security best practice, and with a systemic lack of investment the Wannacry attack was an inevitability.

Solid systems

“Patients should be able to trust that hospital computer systems are as solid as the first class doctors and nurses that make our NHS the envy of the world,” he said.

“Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the Wannacry ransomware virus was an inevitability, but with the roadmap we are releasing today, will make it less likely that such an attack will have the same impact in the future.”

The BCS has been working with the Patient’s Association, the Royal College of Nursing, BT and Microsoft on a blueprint of steps that NHS trusts should take to protect themselves from another cyber attack.

Top of the list is ensuring there are clearly laid out standards for accrediting relevant IT professionals.

In addition, NHS boards need to ensure they understand their responsibilities, and how to make use of registered cyber security experts. Also, the number of properly qualified and registered IT professionals needs to be increased.  

Three-year roadmap

The blueprint covers a draft roadmap of steps to produce a cyber-safe NHS over the next three years. It includes the development of standards of practice this year, along with the first tranche of courses for digital leaders.

By the end of next year there should be clear advice and guidance for NHS boards for using registered professionals in the field, along with frameworks and processes to ensure academic research and real life experience forms the basis of future developments and standards.

In 2019 there should be an expansion in the number of professionals with relevant qualifications, and by 2020 boards should be able to assure the public they are safe from cyber attack. There should also be mechanisms to ensure they learn from future incidents in a structured way.

Image from BCS briefing cover