Cyber security in the NHS: useless operating systems and legacy applications

It is widely acknowledged that the NHS is facing unprecedented challenges, from hard to hit targets and financial deficits to rising patient numbers, increased waiting times and reduced bed availability.

But it doesn’t end there, with healthcare providers facing increasing challenges on the digital health front too. According to the latest quarterly review from the Information Commissioner’s Office (ICO), the sector is experiencing the most cyber attacks since records began in April 2015.

In fact, the healthcare sector accounted for the highest number of data security incidents for the quarter, with 239 cases reported in Q3 2016. Cyber incidents accounted for 74 of these reports.

>See also: 30% of NHS Trusts were victims of ransomware attacks

So why is the NHS such an attractive target for cyber criminals? Is patient data becoming increasingly valuable to cyber criminals and/or are opportunists simply exploiting weakness? Either way it’s clear that the healthcare sector needs to reassess the management and security of its data.

Old technologies expose security loopholes

Recent results of a Freedom of Information Act revealed that 90% of NHS Trusts are still running Windows XP, exposing hospitals to threats designed to exploit vulnerabilities for which Microsoft no longer issues patches. But it’s not just not just obsolete operating systems that pose a risk – anecdotal evidence suggests that healthcare organisations are running hundreds of legacy applications in the background.

Indeed, it has been estimated that some hospitals have as many legacy applications operating behind the scenes as the number of beds in their facility.

Older technologies, whether hardware or software, are more prone to security loopholes, as well as corruptions, failures and outages, making Trusts an easy target for ransomware attacks.

Despite the risks, not to mention the huge costs and drain on resources associated with running these obsolete systems, the practice is still worryingly commonplace across the healthcare sector.

The far-reaching nature of cyber crime

The ramifications of lost or compromised data in the NHS can be catastrophic, as recent news regarding cyber security breaches in the NHS testify. At the end of last year, North Lincolnshire & Goole NHS Trust was infected with malware that left the hospital’s infrastructure down for four days.

Appointments and operations were postponed and delays were incurred in A&E across the region. Earlier this year, the largest NHS trust in England became the latest target.

>See also: Data analytics: addressing the A&E crisis facing NHS Trusts

Barts Health NHS Trust was hit by a Trojan malware infection affecting thousands of files across at least four London hospitals, forcing systems offline.

Clinical risk and the impact on the delivery of patient care is naturally the biggest concern in the event of a cyber attack. After all, a compromise of data in the healthcare sector could have serious implications for patients.

Beyond this, the fallout from a data breach can be far-reaching, from financial repercussions to staff demoralisation and loss of confidence that could lead to resignations.

The damage to a hospital’s reputation is also significant, particularly in an era where the NHS is already under a great deal of public and media scrutiny.

Access to data and cyber security go hand in hand

So what’s stopping the NHS from ditching old data and pulling the plug on obsolete operating systems and legacy applications? It’s important to understand the perceived value of legacy applications to comprehend why are they are still widespread across modern hospitals.

According to BridgeHead’s online survey: “How Do You Manage Legacy Systems?”, 9 in 10 hospitals keep old applications running to preserve data. The same number expressed reluctance to discard data because it contains relevant patient information.

Regulations and compliance were also cited as a factor by 88% of respondents. But, with the 2018 changes coming from the General Data Protection Regulation (GDPR), European healthcare organisations will have increased responsibility – and face much greater penalties – for failure to manage their data appropriately.

>See also: NHS ransomware revelation: a reality check up

While retention of clinical information makes perfect sense, it’s harder to explain why 8% of hospitals do not migrate this data to a new application and/or extract it into an archive for improved data management, as well as security.

Ironically, a quarter of respondents claimed to be “playing it safe” when it came to preserving old data, raising some doubt about their awareness of the potential security risks and the available alternatives.

Value is in the data not the application

Many healthcare professionals are failing to recognise that the real value is in the data not the application. Furthermore, they have yet to make the connection between their obsolete systems and applications and the security risks they pose.

Overstretched and under-resourced, many hospitals feel that it is easier to carry on doing what they are already doing than to make changes in this area.

Trusts wrongly believe that there is no easy way to extract this patient information into a safe environment while making it accessible to those that need it, when they need it, at the point of care. In effect, hospitals are prioritising data over security but it should not, and need not, come down to a choice between the two.

Making legacy history

While NHS Digital has called for more robust cyber security policies in hospitals, less has been said about the hidden security threats that exist within Trusts.

But, just as any medical professional would say to a patient, “prevention is better than cure”, the same applies to cyber security and disaster recovery.

The NHS must tackle its security weaknesses and close loopholes in order to present itself as a less attractive target to cyber criminals and safeguard patient data.

>See also: Technology delivers results at another NHS hospital

Failing to retire legacy applications unnecessarily compromises the information contained within, leaving the door open to opportunists.

Beyond safeguarding, unlocking data that lies within legacy systems and applications and making it available to clinicians as part of the electronic patient record (EPR) promises to improve patient consultation, diagnosis and treatment.

After all, service delivery should remain the priority and focus for the NHS as it navigates the challenges and opportunities of the coming decade.

Addressing cyber security has to be a priority – after all how can any organisation be expected to tackle and improve operational efficiency while under threat or fear of attack?


Sourced by Jamie Clifton, vice president product management and solutions, BridgeHead Software

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...