Increased use of technology and homeworking in light of the pandemic can present additional cybersecurity and patient safety challenges in the NHS. How can ‘cyber hygiene’ and collaboration mitigate the threat to patients? Claire Read reports 

As lead for digital health at the Institute of Global Health Innovation, Saira Ghafur spends a lot of time thinking about the issue of cybersecurity in healthcare. But she suggests that, in some ways, her job title contains a distinction which is now somewhat arbitrary.

“I think it’s a bit of a misnomer to speak of digital health now because everything is part digitised – this is just how we deliver healthcare now,” says Dr Ghafur, who is a practising respiratory consultant alongside her role at the Imperial College London-based Institute.

Sponsored bysophos-logo-black-rgb

And what that means, she suggests, is that cybersecurity is now an absolutely central patient safety issue.

As was seen during the WannaCry incident that affected the NHS in 2017 – and as has been seen more recently in Ireland, where an attack in May had what has been characterised as a “catastrophic” impact on the nation’s health service – a large attack has multiple serious consequences.

One is financial. Research commissioned by cybersecurity firm Sophos suggests the average cost for a healthcare organisation to recover from an ransomware attack is more than £900,000.

But, crucially, cyberattacks also delay the delivery of patient care. That in turn causes harm. Says Dr Ghafur: “There was an example in Germany last year where a patient was turned away from a hospital [due to the impact of a cyberattack] and they died en-route to the other hospital. Could they have been saved? Did that happen in the NHS in WannaCry?

“Attacks are becoming more a bit more egregious every time,” she adds. “Hackers and attackers realise that actually you can absolutely bring our healthcare system to its knees by attacking.

“It is going from somebody sitting in their bedroom, playing around with what they can do, to sophisticated attacks – and very possibly state-sponsored. If you’re an attacker and it’s something like the NHS that has a somewhat homogenous system then you can do a significant amount of damage to everything.”

And the scope of what that “everything” entails has increased in recent months, she points out. “We absolutely rely on tech now and during the pandemic there’s been a massive [further] change to home working, using teleconsultation, using things like Teams to run your multidisciplinary team meetings.”

Gary Colman is head of IT audit and assurance services at West Midlands Ambulance Foundation Trust, a role in which he and colleagues also provide services to other NHS organisations. He says that the increased use of technology and homeworking in light of the pandemic can present additional cybersecurity and patient safety challenges in the NHS.

“It’s definitely become a lot more complex because beforehand you had all your devices on your network and you had complete visibility of them. When devices go home you can still remotely manage them and configure them, but there is always a chance that someone’s found a way to hook up a printer that they wouldn’t have in the office.”

There’s also an additional information governance worry. “If I have a meeting, I come upstairs, I move away from open windows because I live next to a public area,” says Mr Colman. “So the concern we’ve been trying to drive home to people it’s it’s not just the cybersecurity, it’s information governance – when you’ve got someone talking about patients at home, and perhaps have other people in the room [or nearby].”

That it was possible for the NHS to move so swiftly to remote consultations and home working for staff is a major achievement, Dr Ghafur emphasises. “To be able, all of a sudden, to provide virtual care across the board was an amazing feat – everyone who supported that is amazing.

“But I think at that point in time, cybersecurity was not going to be the big limiting factor. It was: ‘How can we get care out and make it accessible to people as quickly as possible?’ But now I think it needs to be 110 per cent up there, because we’re not going to go back to traditional ways of providing care, this is here to stay.”

She says continuing education of users is therefore crucial (“keeping up cyber hygiene,” as she puts it), and making sure that computer systems are quick and easy to use (ensuring it is quick to log in and out of programs, for instance, so reducing the temptation to share passwords).

And, in language strikingly reminiscent of that used to discuss the pandemic, Dr Ghafur also argues that a global viewpoint on such issues will be increasingly important.

“We know very well that cyber attacks don’t respect borders, so actually this is where we need to collaborate much more internationally, to work with our partners. The World Health Organization needs to take more of a stance to make cybersecurity part of that patient safety agenda.

“It’s not if we’re going to have another cyber attack, it’s when we’re going to have another cyber attack,” she stresses. “So it’s making sure that we’ve got everything in place to be able to mitigate the impact on patients, making sure we’ve got backup systems, making sure that we can get up and running as quickly as possible.

“Cybersecurity is not just an IT thing,” concludes Dr Ghafur. “It’s a patient safety thing first and foremost.”

Should cybersecurity be seen as a patient safety issue?