Diagnosis high risk: Why the NHS is a cyber criminal’s dream

Hackers are taking a more sinister approach than most people would care to imagine

If you mention cyber crime to most people on the street — their first thought is of people sat in darkened rooms trying to infiltrate national security and people trying to get access to their hard earned money. People are increasingly careful when protecting internet banking passwords with an admirable attitude of awareness to the cyber criminals lurking in the shadows… but is money all it comes down to?

It would appear not. What goes on in these darkened rooms is something equally as sinister and inherently more personal.

Apart from money, what is precious to people? Possibly photographs, emails, and messages? Everyone knows that sweat-inducing panic when a mobile phone is lost. However, cyber crime is taking a more sinister and personal approach than most people would care to imagine.

When you go to your GP or local hospital you never imagine that your data could become a weapon to be used against the very institution that is providing you with care. However this is a horrifying turn of events in the digital era that we are now faced with.

From being treated for infectious diseases, mental health issues to advanced cancer treatments and stoke rehabilitation, healthcare information is seen as being highly personal and sensitive — a cyber criminal’s dream. Cyber-centric crimes are an ever increasing threat to our highly sensitive data and those people in darkened rooms have had a eureka moment in understanding the psyche of the average person who deserves not only their privacy but a right to comprehensive informed healthcare.

Over one third of health trusts within the United Kingdom have been targeted by cyber criminals, mainly by a nasty little virus called ransomware. These effectively hold encrypted data to ransom until paid for its release. Numerous attempts have been successful, and what is more worrying still is that data obtained by Freedom of Information shows that some of these ransoms were paid.

Why?? Without access to these encrypted patient records people’s lives are at risk. IT IS THAT SIMPLE. And even those hospitals that don’t pay inevitably have to bring their systems offline to rectify the problems. With the health service being directed to ‘a paperless NHS by 2020’, not having access to patient records and having ineffective contingency plans means that this problem is only going to get worse.

This is attested by the largely publicised attack on North Lincolnshire and Goole NHS Foundation Trust, which recovered remarkably quickly after a ransomware attack and had all systems back online in 48 hours, yet still had to cancel nearly 3,000 appointments and operations during this period. Not only this, but with more hospitals moving towards electronic prescribing systems there is also the potential access to prescription drugs which are hugely appealing on the dark web.

So what can we do? It isn’t as simple as installing anti-virus software as Leeds Teaching Hospital knows, having been attacked 19 times last year alone. Anti-virus software is not sufficient and currently the NHS is at the most risk from economic crime than ever before, according to the Global Economic Crime Survey by PricewaterhouseCoopers (PWC).

The NHS is in crisis. With budgets being slashed, NHS England will be faced with a reduction of 0.6% per head in the 2018-19 financial year. This not only affects nurses per ward but budgets including preventative measures to cyber crime. However hospital trusts will still bear the burden of being held to account for the cyber attacks. Although initiatives have been launched to assist health and social care services, these will come down to finances available (or not available as the case may be.)

The law is disjointed in the area of cyber-centric crime, having struggled to keep up with the ever changing fast paced world of information technology. From the Computer Misuse Act of 1990, which has been amended numerous times, to the new ‘Snoopers’ Charter’, access to data is something that is high on the agenda. However, the protection of the content of social media and personal communications seems to worry more people than their healthcare data being accessed — or is this just a lack of awareness of the clear and present risk?

The General Data Protection Regulations that come into force in 2018 will have some sway on this. Being directly applicable it needs no domestic legislation to implement, and even with an impeding Brexit compliance will be needed until decisions are made on the future of consolidating EU regulations into domestic laws. The implications for organisations that breach are hefty. The requirement to report security breaches promptly with the threat of massive fines is an indication of a reactive position; having the funds and guidance to implement satisfactory security in advance seems to be an afterthought. If an organisation is targeted and fines incurred, that is only going to make the organisation more vulnerable than previously.

Although there is plenty of guidance with regards adhering to satisfactory privacy, risk and data management, the issue is clearly the lack of resources to implement. For example, the majority of hospitals are still running Windows XP on their computers, bearing in mind that security upgrades for this version of the software were stopped by Microsoft in 2014. It is not hard to see why the NHS is a cyber criminal’s dream.

Instead of punishing organisations after a security breach, give organisations a minimum operating requirement and specification to adhere to in advance, with financial penalties for not meeting this in advance of any breaches — else it is shutting the proverbial stable door after the horse has bolted. The root cause of the problem must be resolved first else we are practically opening the door to those people sat in darkened rooms to come and invade what is one of the most personal aspects of our lives.

Lauren Henry is a part-time BPTC student, who has a law degree from the Open University. This post was one of the standout entries we received for the BARBRI International Cyber Crime Blogging Prize.

Want to write for the Legal Cheek Journal? Find out more here.

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.

9 Comments

Anonymous

We should tax people’s second, third, etc homes more heavily to pay for an update of the NHS systems. It doesn’t seem right that people profit off of the tenants, who line the landlord’s pockets so that they can sip expensive champagne in their extended holidays in the south of France.

(2)(3)
Reply Report comment
Anonymous

That’s a great idea. In fact, lets just take all their assets, give them to the state, and force the bourgeois pigs to work on a collective farm!

(2)(0)
Reply Report comment
Anonymous

No way! For most things that people have earned, they should have a right to keep. Housing is fundamentally different. There has to be protection in place to help people buy, rather than have it all end up in a few hands whilst your everyday person (most of whom are hard working) spend £6-12,000 per year into the hands of their landlord and never have a chance to escape that cycle.

(1)(1)
Reply Report comment
Anonymous

People really do need to be made to work for longer. Retirement at under 70 is not sustainable. It is a double win, work people an extra 10 years and that creates a huge windfall in pensions savings. The other win is that hopefully less people will vote Tory so the country can be for everyone and not just the privileged few.

(0)(0)
Reply Report comment
Anonymous

“Instead of punishing organisations after a security breach, give organisations a minimum operating requirement and specification to adhere to in advance, with financial penalties for not meeting this in advance of any breaches”

– this is a huge misunderstanding about the role the GDPR will play. It is not designed to punish organisations that are attacked, it is designed to ensure that companies are ready for potential Data Breaches and that they are processing personal data in a way that is fair and lawful.

I like the article on how poor funding can lead to a cyber risk, but ICO (the governing body for data) will not just dish out massive fines for hacks. If organisations have in place adequate safeguards and can demonstrate this, they will not be fined. The GDPR is a kick up the arse to consider this, not to kick someone when they are down.

(2)(0)
Reply Report comment

Leave a comment

Your email address will not be published.