Cyber-attacks and primary care: the need for digital health resilience

Richard Armitage is a GP and Public Health Specialty Registrar, and Honorary Assistant Professor at the University of Nottingham’s Academic Unit of Population and Lifespan Sciences. He is on twitter: @drricharmitage

On Thursday 4th of August the NHS was targeted by a cyber-attack.  The assault caused significant malfunctioning of the software central to the NHS 111 service, and interrupted electronic patient referral systems pivotal to ambulance dispatch, out-of-hour GP appointment bookings, and emergency prescription facilities.  While an NHS England spokesperson claimed it caused “minimal disruption,” the attack was expected to cause delays to emergency ambulances and to increase the flow of patients from NHS 111 to GPs across all four nations of the UK, while being predicted to not be fully resolved until the following week.¹

This assault may be the first cyber-attack to bring about large-scale disturbances within the NHS after deliberately and exclusively target the health service.  Many will recall the effects of the WannaCry ransomware in May 2017, which prevented access to critical digital systems in the NHS.²  That particular attack, however, was relatively unsophisticated, infected over 230,000 computers in at least 150 countries (rather than specifically targeting the NHS), and affected machines running the Microsoft Windows operating system by encrypting data and demanding ransom payment in the cryptocurrency Bitcoin.  A ‘kill switch’ was activated by a cyber-security researcher on the evening of the first day of the assault, which prevented further devices from being infected and brought the attack under control.  The subsequent investigation revealed that none of the 80 NHS organisations impacted by WannaCry had applied the Microsoft update patch advised by NHS Digital only a few weeks before the attack, admitted to “Historic underinvestment in network security and up to date software,” and found an urgent need to improve “Discipline and accountability around cyber security at senior leadership and Board level.”²

In contrast, the latest attack appears to have been purposely designed to target NHS digital systems.  While this may be the first of such incidents to strike the UK’s health service, a growing number of cyber-attacks aimed deliberately at health systems are being mounted on the global stage, with a variety of strategies and nefarious intentions including espionage, sabotage, and financial theft.  For example, patient data may be stolen, deleted or corrupted in cyber-attacks on health systems,³ as was the outcome of the 2018 attack on the SingHealth database, and the 2014 attack on US health insurance company Anthem, in which cyber-criminals illegally accessed the personal information of 1.5 million Singaporeans and 80 million Americans, respectively.^4,5  In addition, the rapidly enlarging network of interconnected medical devices, including hospital-based equipment and implantable sensors, can now be hacked, manipulated or entirely disconnected, with obvious and potentially devastating consequences for patient privacy and safety.⁶  These examples, in addition to the recent attack on the NHS digital infrastructure, reveal the extent to which the digitisation of healthcare renders these systems, including those paramount to contemporary general practice, astonishingly vulnerable to incapacitating cyber-threats.

Sophisticated digital assaults on large and connected computerised health systems reflect the growing number of cyber-attacks targeting a variety of other industries, including financial systems, multinational corporations, and even nuclear facilities that generate energy and warheads.  For example, the Stuxnet computer worm, first discovered in 2010 but thought to have been developed from 2005, digitally targeted Iranian centrifuges pivotal to the enrichment of nuclear material, and caused a critical malfunction and postponement of Iran’s nuclear program,⁷ while a cyber-attack on the Ukrainian power grid in 2015 caused some 225,000 customers to lose power for several hours across several of the country’s districts.⁸  Concerningly, the ability to design, create and mount such attacks is becoming increasing ‘democratised’ and readily available, as the digital sophistication and technical ability of  individual, group-based, and state-sponsored cyber-adversaries continues to escalate while the culpability of these actors becomes increasingly untraceable.

Primary care has and continues to undergo widespread implementation and scaling of digital technologies, especially over the course of the previous two decades, and is widely considered to be of paramount importance to the delivery of high-quality healthcare, the improvement of patient health and wellbeing, and the efficient functioning of a health system under continuous and increasing multi-faceted pressures.  This trend is not only restricted to UK primary care, as the uptake of digital health into nationwide health systems is increasingly adopted on a global scale to accelerate progress towards the ‘Sustainable development goals.’⁹  However, such rapid digitisation, multisystem connectivity, and gigantic collections of sensitive digital data, renders the protection of virtual healthcare environments to be of vast, increasing and non-negotiable importance.  Despite this, as the recent attack on NHS systems reveals, sufficient investment in crucial cyber defences remains recursively deprioritised and chronically neglected, rendering its digital infrastructure vulnerably exposed to unacceptable degrees of reputational, financial, and patient safety threats.

Dramatic investment is urgently required to address the real and present danger of cyber-attacks on NHS primary care.  Frustratingly, this need becomes particularly pressing at the moment that general practice is least favourably positioned to consider it a priority.  Unprecedented demand on primary cares services, driven by the COVID-19 pandemic, an ageing population, and an increasingly exhausted and unsatisfied workforce,¹⁰ requires dedicated funding streams to address these growing problems, while digital fortification of primary care infrastructure is easily ignored both politically and professionally.  However, without adequate investment into the digital health resilience of contemporary general practice, the rapidly increasing capabilities of cyber world criminals will continue to render its foundational systems precariously exposed and dangerously vulnerable, and threaten to collapse primary care entirely.

References

1. BBC News. NHS 111 software outage confirmed as cyber-attack. https://www.bbc.co.uk/news/uk-wales-62442127 [accessed 06 August 2022]
2. Department of Health & Social Care. Lessons learned review of the WannaCry Ransomware Cyber Attack. February 2018. https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf [accessed 06 August 2022]
3. S Ghafur, E Grass, NR Jennings, A Darzi. The challenges of cybersecurity in health care: the UK National Health Service as a case study. The Lancet Digital Health 01 May 2019; 1(1): 10-12. DOI: 10.1016/S2589-7500(19)30005-6
4. Singhealth. Joint press release by MCI and MOH – Singhealth’s IT system target of cyberattack. 20 July 2018. https://www.singhealth.com.sg/news/announcements/joint-press-release-by-mci-and-moh-singhealths-it-system-target-of-cyberattack [accessed 06 August 2022]
5. BSI Group. Lessons learned: Anthem data breach. 2015. https://www.bsigroup.com/LocalFiles/en-US/Whitepapers/Information%20Security/BSI-lessons-learned-anthem-data-breach-whitepaper.pdf [accessed 06 August 2022]
6. BSI Group. Cybersecurity of medical devices: Addressing patient safety and the security of patient health information. 2017. https://www.bsigroup.com/LocalFiles/EN-AU/ISO%2013485%20Medical%20Devices/Whitepapers/White_Paper___Cybersecurity_of_medical_devices.pdf[accessed 06 August 2022]
7. JP Farwell and R Rohozinski. Stuxnet and the Future of Cyber War. Survival 28 January 2011; 53(1): 23-40. DOI: 10.1080/00396338.2011.555586
8. Electricity Information Sharing and Analysis Centre. Analysis of the Cyber Attack on the Ukrainian Power Grid. 18 March 2016. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/05/20081514/E-ISAC_SANS_Ukraine_DUC_5.pdf [accessed 06 August 2022]
9. World Health Organization. Global strategy on digital health 2020–2025. https://cdn.who.int/media/docs/default-source/documents/gs4dhdaa2a9f352b0445bafbc79ca799dce4d_02adc66d-800b-4eb5-82d4-f0bc778a5a2c.pdf?sfvrsn=f112ede5_68 [accessed 06 August 2022]
10. C Tilley. NHSE: Salaried model conversations ‘have contributed to low GP morale.’ 16 June 2022. https://www.pulsetoday.co.uk/news/workforce/nhse-salaried-model-conversations-have-contribute-to-low-gp-morale/ [accessed 06 August 2022]

featured image: Photo by Kevin Ku on Unsplash