Hospital cybersecurity funding has been increased in the UK in the wake of the recent WannaCry ransomware attacks that crippled parts of the NHS. Health Secretary Jeremy Hunt has pledged a further £21 million ($27 million) will be made available to 27 major trauma centers in the UK to improve their cybersecurity protections. The additional hospital cybersecurity funding is intended to make it harder for hospitals to be attacked with malware.
The WannaCry ransomware attacks on May 12, 2017 affected 48 NHS trusts in the UK and prevented medical services from being provided to some patients. Hospital systems were taken out of action and it took several days for systems to be brought back online. Attacks on that scale should not have been possible and should not have had such a major impact on patients. Additional hospital cybersecurity funding was clearly needed to ensure essential updates to computer systems could be performed.
The additional funding will be made available to hospitals throughout England, including King’s College, Royal London and St. Mary’s in London and the Manchester Royal Infirmary. The funding will be used to make essential updates to computer systems and to train staff on security awareness.
The updates include phasing out the use of the unsupported Windows XP operating system. That process was already underway when the WannaCry ransomware attacks occurred, with the percentage of hospitals using the system having dropped from 18% to 4.7% in the past 18 months. Upgrading the remaining computers will be a priority.
NHS Digital has also announced that it will be enhancing cyberthreat intelligence sharing and will issue rapid alerts to warn hospitals when new cybersecurity threats are discovered, in addition to setting up a hotline for NHS trusts to call when security incidents occur. It will also be setting up a program of audits to assess preparedness for cyberattacks and the ability of hospitals to repel cyberattacks.
Details of the additional funding have been set out in the document – Your Data: Better Security, Better Choice, Better Care – which is the response from the government into the review of data security published by Dame Fiona Caldicott, the National Data Guardian for Health and Care.
The report also states that there will be stronger sanctions introduced by May 2018 to protect anonymised data, and severe penalties for organizations that are negligent or deliberately re-identify individuals.
Plans are also underway to give patients better access to and control over their health data and NHS organizations are now required to formally adopt data security standards, conduct annual data security reviews and provide security training for staff. They must also develop extensive plans to respond to data security incidents to ensure services continue to be provided in emergencies.
The health minister Lord O’Shaughnessy said, “Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat.”