I’m of an age (and possibly
generation) that still enjoys listening to the daily Radio 4 show, ‘The Archers’.
This is the world’s longest running drama, a the radio show started in 1951,
and there have been some 19,000 episodes. At one time it was described as ‘an
everyday story of country folk’, although these days it’s probably something
like ‘a contemporary drama set in a rural landscape’. In February this year, it
was voted the second best UK Radio Show (Desert Island Discs was number one).
Last week, being Halloween, many of the episodes focused on all things scary,
trick and treating and so on. The view on Halloween night itself was that
children today don’t make much of an effort to dress up, want money instead of
treats and generally Halloween itself was another example of an unwanted US influence.
Well, it may not have been scary
in Ambridge, but in downtown Wigan it certainly was! Last week, I and the rest of the Trust Board attended
a training session on Cyber Security. Frightening? Yes it was! The
training was approved by GCHQ, the UK’s intelligence and security organisation,
and was facilitated by someone with a brilliant sense of edgy humour. He
managed to make the seriousness of the risk something everyone sitting in the room
could understand.
I guess many of this blog’s readership
might think that the worst consequences of a cyber-attack might be stolen bank account
or credit card details, identity theft or that they might have to reset their passwords
yet again (more of which later). However, it’s a lot more worrying than that.
Data, is becoming extremely valuable, and the NHS has oodles of data. Ernst and
Young (one of the big five accountancy firms) estimate that data held by the NHS
could be worth somewhere in the region of £10bn a year through operational
savings, improvements to patient care and benefits to the wider economy. Their
report also considers the trading values of patient data, particularly in the areas
of genomics, and pharmacology. Getting your hands on such data and selling it
could make the unscrupulous very rich indeed. In 2015, criminals stole 80m
records from Anthem, a US health insurance company, with a market value
estimated at $1bn. Safeguarding such patient data is critical, not only from an ethical and professional perspective, but also for maintaining health care services.
The NHS was one of the biggest victims
of the 2017 cyber attack called WannaCry. This global attack affected at
least 80 NHS Trusts, and some 600 primary care organisations in the UK. Over half of
these organisations were locked out of their IT systems. The attack was only
stopped when a young cyber-security researcher called Marcus Hutchins who whilst surfing the internet in his bedroom, stumbled
over a so called ‘kill switch’ and was
thus able to stop the attack. The WannaCry attack resulted in almost 7,000
cancelled appointments and at least 19,000 follow up appointments. It cost the NHS
more than £92m to sort out and restore their systems. With the ever-increasing
move to electronic patient records, such a catastrophic impact would be
increased tenfold in the future, should there be a similar attack.
What the WannaCry attack also revealed
was that the NHS were woefully unprepared for such an attack and the level of
understanding as to what organisations might do to protect themselves was shockingly,
almost completely lacking. There was little in the way of even basic safeguards
in place. Systems and the software being used was old and inadequate for contemporary
use. If it had occurred on a Monday and not a Friday, the impact would have
been even more disastrous. As a consequence, NHS England developed an action plan
for improving cyber-security procedures. The training I attended last week was
part of this action plan in terms of raising awareness across NHS Trust Boards.
It appears that the healthcare
sector was the most targeted industry for cyber-attacks in 2018. There were
some 1.1.billion email threats (phishing) intercepted last year. Some 30% of all
phishing emails are opened exposing the individual and/or their organisation to
attack. And if you think you are careful and could never get caught out, in this
training session there were (at least) three people who admitted to opening up
such an email. Human curiosity knows no bounds, and there really are no boundaries
in cyber-space. Colleagues had found themselves victims. They discovered they
had bought a motorbike, lost their identity, and run up thousands of pounds in
debt, all of which took many, many months to untangle and restore order.
And if you think it can’t get any
worse, it can. Many new digital developments in healthcare come with not just benefits,
but new risks too. Heart pacemakers have a wi-fi functionality, leaving them
vulnerable to hackers who could run the batteries down or alter the patient’s
heartbeat. Late in 2018, the US Food and Drugs Administration ordered the recall
of six types of pacemakers that been implanted in some 465,000 people. I have
not been able to find out what we are doing in the UK. Answers on a post card
please.
There is lots we can do to combat
the cyber-security threats. The NHS has a great little guide, which you can
find here. As well as the physical things we can do (like locking office doors,
logging off when we leave our computers, checking IDs and so on), and the organisational
procedures we should have in place, it’s changing the culture that really bring
best results. It’s not easy to achieve though. Often behaviour change in many areas
lasts no longer than six weeks before people return to their old ways.
Something that perhaps explains why so many diets fail in the long term.
Now I’m one of those folk who
complain about how many different passwords I have and how often they need
changing. Never again. If you want convincing of how difficult it might be to
change culture and raise people’s awareness of the need to be more careful, vigilant
and aware of the threats we are facing, take a look at this video (don’t worry
it only lasts two minutes) – safe surfing.
No comments:
Post a Comment