Andrew Raynes, CIO, Royal Papworth Hospital: The next Cyber Attack – Will it or won’t it hurt?

By Andrew Raynes, CIO, Royal Papworth Hospital

The cyber threat to health and care has never been more prevalent it seems than now.  The pandemic has seen an increase in ripples of spam and phishing attempts, but in more recent years the real threat to our systems which support services and hold vital data for our patients and staff is so much greater.

I remember thinking that the WannaCry attack in May 2017 was the most significant IT devastation had seen in my career.  In real terms it was much greater threat than Y2K seemed at the turn of the millennium.   Thoughts such as ‘’Is patching up to date?’’, ‘’What versions of Windows are you using?’’ and, ‘’what are we connected to that is likely to disrupt other services or patients’’ and the reality that this could cause harm loomed heavily.

The truth is that COVID has shown in undeniable and glorious technicolour the real value that technology can have to help provide continuity of health and care and similarly when it becomes a barrier.  Even during surge, cyber criminals persisted with phishing attempts and attacks such as ‘Dharma’ and ‘Snake’ some which targeted audio visual tech to bring down the very systems keeping vital multi-disciplinary team meetings running, and other meetings running.

We know there are many web sites and forums out there which sell the latest hack, and we know the value of a health record on the dark web.  We live in a world where cyber-crime has grown exponentially and is capable of causing serious trouble exploiting every angle of weakness.

Being ahead technologically is one thing, and having point-to-point security, back-ups, firewalls, Antivirus, Advanced Threat Protection, or using artificial intelligence-powered surveillance all help, but we need to think about our people.  When we look to the news and see some of the more prevalent tech companies such as Facebook, Twitter or the airline industry BA or EasyJet falling victim of Cyber-crime it does make you think.   As more stories of serious cyber-attacks roll in, we need to be ever conscious of how our services might be affected by the next targeted campaign.  The capability and penetration of cyber-attacks should never be underestimated, and we need to constantly ask ourselves whether we are ready, (or not).

The WannaCry ransomware attack cost the NHS £92m and resulted in the cancellation of almost 20,000 appointments.  While we still talk about it today, if we look closely, have we moved forward, and can we protect our most vital assets? Patient information is at the end of every health and care attack and given the richness of data makes me wonder – how do you ensure therefore this topic to be a focus in every organisation and not brushed off as ‘it’s an IT thing’?  Consider how linking Cyber to your main objectives as an organisation can become everyone’s responsibility: patient safety, sustainability, emergency planning and of course reputation.

Next time you think about the technology stack that’s protecting your organisation, the assets, its information and ultimately your patients and staff, think about:

  • How prepared are you?
  • How well is your board sighted on Cyber?
  • What about your staff?
  • What about the issues and what to do when it strikes?
  • How frequently do you patch?
  • How well do you monitor and report on access and Cyber?
  • How trained are your departments to cope?
  • What critical services do you restore first?
  • What continuous improvement cycles do you go through, and
  • Do staff know the business continuity process in place?

So where does this topic feature in the long list of important things to do today?  Well what we do know is, that with time, technology continually improves and in a frenetic health and care environment we need to keep ahead.  Cyber security is a vital part of everyday health and care and we need to embrace the challenge.  As we have seen, somewhere there is someone who is ahead and has intent, so it becomes a case of not if but when.  So how will you prepare, and will your organisation be ready?  In the words of crimewatch ‘Don’t have nightmares’, but do start discussing your plans today.