Was the NHS to blame in U.K. cyberattack?

2017 05 22 11 57 39 4 Skull Error Danger 400

The WannaCry ransomware cyberattack left parts of the U.K. National Health Service (NHS) at a standstill. Operations and appointments were canceled, MRI and CT systems had to be shut down, and staff were forced to revert to paper notes. However, this was not the first time a healthcare institution has been hacked and with prevalence rising, cybersecurity is an issue that increasingly will shape the future direction of healthcare IT.

To start with, was the NHS at fault in the cyberattack? In short, not really. The cyberattack had an effect on other organizations across Europe and globally, both in the healthcare field and other industry sectors. In fact, only one in five NHS trusts (or hospital groups) was affected, suggesting that for the majority, cybersecurity is being well managed.

Stephen Holloway is a principal analyst and the company director at Signify Research.Stephen Holloway is a principal analyst and the company director at Signify Research.

Fundamentally, though, two characteristics of NHS healthcare IT may have made it a susceptible target and unable to quickly prevent spread. Firstly, most NHS hospital trusts have an IT infrastructure built on a patchwork of IT systems and software, a byproduct of the scrapped National Programme for IT (NPfIT) and subsequent variety of solutions and vendors installed at each trust since. This has created a complex, multi-stakeholder environment that is challenging to manage and maintain, and inherently has created opportunity for missed security updates and loopholes.

Secondly, almost all NHS trusts are connected via the national N3 email network -- something uncommon in most advanced healthcare economies. While this may have not been the entry point for the original cyberattack, it was thought to propagate initial spread between trusts, and forced nonaffected trusts to shut down their networks as a precautionary measure. To provide added context to the inherent risk of a nationalized email system, it was only last year that the N3 system was crippled by an accidental sending of a test message to the 1.2 million NHS employees by a contractor, resulting in a dreaded "Reply All" chain that generated 186 million emails and crashed the system for several days.

Price to pay for interoperability?

Interoperability has of late been the buzzword for health IT vendors and providers, driven by a desire for more integrated exchange of health data and more connected care. While for many providers today this is only taking shape within the clinical sites of the same network, the push toward internetwork data interoperability at regional or national level is pronounced.

Therefore, the rapid spread of the WannaCry ransomware via the national NHS email network may cause some managers to re-think the push for regional or national health IT networks, as the larger the network, the bigger the potential effect of future cyberattacks. It is doubtful cybersecurity concerns will prevent centralization at a regional or national level, but it is likely to slow the progression of connected care until resolute security safeguards can be adopted.

Also, renewed security concerns may create an overall change in the architecture of health IT implementation. If we consider the example of radiology IT and enterprise imaging, software vendors have been pushing third-party hosted and managed service offerings in the last few years. Adoption has been relatively slow, though, with most providers deeply embedded in a capital purchasing budget cycle and remaining tied to managing their own IT administration and infrastructure.

Furthermore, one of the biggest arguments most providers make for not taking on third-party solutions also focuses around security -- they don't trust their imaging data being offsite and "out of network". Yet third-party or hosted solutions commonly offer better security records against cyberattacks than on-premise solutions managed by health providers themselves.

Infrastructure supporting hosted imaging IT solutions is commonly dispersed across multiple federated datacenters. A single attack to one center therefore does far less damage on the whole network, leaving the remaining centers operational, and limits the effect on the health provider, compared with the far greater effect of the provider's own datacenter going down. Also, maintenance and security updates on the larger third-party networks generally are more regular and more advanced than an individual health provider can manage themselves.

While the above is a simplistic view of a complex issue, and does not even touch on the issue of complex legislation on how health providers manage and store patient data, the growing risk of cyberattacks will no doubt add to the argument for market change toward hosted IT both in imaging IT and wider enterprise solutions.

A common responsibility

The exact cause and "ground zero" of the WannaCry ransomware attack has yet to be disclosed, but does also reignite the debate on responsibility.

This is a complex legal, technological, and ethical issue. Yet some unconfirmed reports in the initial aftermath of the NHS attack have highlighted cases where healthcare technology providers of modality imaging hardware, devices, and software may have actively advised NHS trusts to ignore the required security software patches to avoid compliancy issues with their technology. If this is the case, then these select health technology vendors and IT administrators will be at risk of severe repercussions.

These instances are probably only true in a few rare cases, and until recently, imaging IT, and PACS especially, has been well-known for the "dark arts" of providing solutions with complex proprietary software keys to make it harder for providers to migrate to a different vendor. While disturbing, the recent reports are also not overly surprising, especially given the increasingly competitive and high-stakes competition for growing healthcare IT budgets.

There has also been growing momentum for device and software operating systems to become more open source or tailored to the health provider that uses them (e.g., see the ongoing debate and coverage of NHS Ubuntu pilot). However, there has been little evidence to suggest that a more open source approach would prevent cyberattacks any more than current operating systems to date.

It seems apparent then that security responsibility falls to the collective of legislators, providers, and industry vendors to uphold and maintain stringent network security for healthcare. For legislators and providers, the focus should be on ensuring clear guidance, training, and stringent adherence and monitoring, while also actively discouraging the use of solutions from vendors that fail to meet security criteria or push proprietary software that compromises network security. Consequentially, this would also provide a clear mandate for industry vendors to provide clear evidence of adherence to the highest standards of security, or risk missing out on their next big order.

When it comes to cybersecurity, we're all in this together.

Stephen Holloway is a principal analyst and the company director at Signify Research (www.signifyresearch.net), a health tech, market-intelligence firm based in Cranfield, U.K.

The comments and observations expressed herein do not necessarily reflect the opinions of AuntMinnieEurope.com, nor should they be construed as an endorsement or admonishment of any particular vendor, analyst, industry consultant, or consulting group.

Page 1 of 1240
Next Page