Professor of cybersecurity at Ulster UniversityView Author Profile
Digitising the National Health Service brings enormous benefits, but it's far from straightforward.
The NHS has been attempting to digitise its service to reduce the pressure on its ever-dwindling resources and improve patient care for a number of years.
The benefits of such a move are plain to see, with the internet of things (IoT) being able to influence several areas including clinical operations, in-patient monitoring, medication management and workflow management.
However, a viable solution to ease the pressure on its IT network is still not in sight – which would be ‘unacceptable in any other 21st century organisation’, according to Health and Social Care Secretary, Matt Hancock.
The NHS needs to make the introduction of this digitisation as seamless as possible, considering that the NHS is running 24/7/365. There is not a period in which the system can be down (which may possible in in organisations not involved in critical infrastructure).
They will also need to go through the long process of accurately digitising all the analog data which it has so that online medical records show our history before digitisation.
Of the cybersecurity challenges that the NHS needs to overcome as part of the process of digitisation, the most obvious is the sheer size and diversity of the NHS ‘ecosystem’. A huge variety of devices will need to connect to a central server.
These devices range from computers and tablets to MRI scanners and heart-rate monitors, as well as staff members connecting their own personal devices to the network. Having such a large and diverse array of devices connected to the network will mean that there will be countless Internet connected endpoints in each hospital.
If proper visibility of the network is not achieved, then each endpoint will represent a potential vulnerability to try and exploit for cybercriminals.
Another concern for the NHS will be the worrying fact that no matter how much is spent protecting against external threats, no system is fool proof and one of the biggest security threats will still be the users of the system themselves.
This will range from employees needing educating about recognising suspicious emails and websites. The cybersecurity skills gap is well publicised, so the NHS will need to address this by adding cyber skills to any training programs given to new members of staff.
If staff are still using default or weak passwords and clicking links in phishing emails, then digitising the entire system may cause provide more negatives than positives.
Does the public trust the NHS to pull it off?
However, the technical and internal challenges are not the only challenges the NHS faces. 2018 saw many highly-publicised data breaches, such as Marriott, Twitter and Google, which have alerted the public to both the importance and value of our data, as well as how large the threat to it is.
The result is a new emphasis on cybersecurity in business. After the WannaCry ransomware attack, which cost the NHS £92m, many members of the public are asking whether they can trust the NHS to capably digitise and store sensitive data safely and securely.
Unfortunately, it is almost impossible to completely secure data, simply because it is online, and cybercriminals’ tactics are always evolving.
By moving the data to the cloud, our medical data is more at risk to external threats than when we were using paper and pen. Although, digitising does mean that individuals accessing patient records can be tracked and recorded.
In a paper system it would be much more difficult to log every person who views a document. By digitising the system, individuals can be logged and tracked ensuring patient records are only viewed by authorised personnel (if properly managed).
The need for digitisation must overshadow the public’s doubts over the NHS’s ability to capably deliver it. Public scepticism may mean that the whole process takes years longer than it was initially planned, and may be more expensive than it was originally forecast, but it will pay dividends in the long run if they get it right.
Are private companies better placed?
The public’s perception, since the WannaCry attack, has shifted towards the idea that the NHS may not be equipped or possess the expertise so some believe a larger private company may be better placed to take on this task.
While this may be true, the NHS has been working with external suppliers and experts for years and already works with third party suppliers and experts who are being asked to introduce innovations which will improve efficiency and reduce costs.
The NHS will have vetted these companies and have contracts with them detailing their responsibilities as well as what liabilities they will take on. This is important in terms of who is responsible for the data being secured as the NHS must receive the competent system that they asked for.
The integrity of the system will be determined by the individuals who built it. Therefore the processes surrounding the capturing, transferring and storing of data must be entirely transparent, as to alleviate the responsibility off a handful of people.
Pulling it off
In 2017, research from Palo Alto networks revealed that nine in 10 NHS IT decision-makers believe that solid best practice in security is key to the digital transformation of the NHS.
Two features which must be included are top-rate encryption of data, so that leaked data cannot be read, and advanced intrusion detection, so that intrusions can be dealt with as they happen, rather than just picking up the pieces of another data breach.
This is particularly needed in the new post-GDPR climate, which has introduced the principle of accountability. Now the NHS must ensure that all data is collected and stored in accordance with the new regulations and protect patient data sufficiently.
To deliver complete digitisation safely, the NHS must be able to deliver these and maintain their security protocols for years to come.
Inevitably this means increasing the amount of IT security staff and consistently training their entire staff in at least basic cyber skills. Cybersecurity is not an area which can afford to be cut back on in this increasingly digital world.
Is The NHS Capable Of Delivering Complete Digitisation Safely?