News & Highlights

Three steps to improving the security of the NHS

Download our free eBook – “Securing a New Lifeline for the NHS”


Against a backdrop of more persistent and diverse cyber threats, the NHS is facing an uphill battle in keeping patient data safe and vital services operating efficiently. 

The WannaCry ransomware attack in May this year, which crippled a number of NHS Trusts, demonstrated the reality of cyber threats and their potential to impact directly on patient services. In the wake of the attack, NHS bosses and the government faced questions over why hospitals had been left vulnerable, and how they can better mitigate the impact when another attack takes place.

As part of its drive to become an increasingly digital organisation, the NHS must demonstrate that it can protect the data that it holds and the systems on which it functions or risk losing the support of the UK public. Our newly published report ‘Securing a new lifeline for the NHS’ explored the views of 100 IT decision makers (ITDMs) across the NHS, revealing some concerning trends and highlighting the need to push security to the top of the agenda. Key insights included:

  • The likelihood that data has already been compromised is high with 80 percent of ITDMs believing that electronic staff records have been compromised, and almost a third saying the same about patient data
  • There is a clear need to dedicate more budget to protecting the NHS’ IT estate, with 70 percent stating that more must be spent on IT security to modernise infrastructure and bolster defences
  • As well as investing more in infrastructure, the NHS also needs to invest in its people – ensuring that they have the skills and capabilities needed to create a secure IT environment, and know how to deal with a cyber attack when it occurs. A worryingly high 38 percent of ITDMs say that their team lacks the skills to improve cybersecurity infrastructure and strategy
  • It’s not just malicious hackers that pose a threat to data integrity, NHS staff (32%) and even patients (30%) themselves were among the most likely reasons to cause a data breach. Responsibility for protecting any organisation no longer lies solely with the IT team but sits with anyone that interacts with data and devices. In an increasingly data-driven and digital care environment, the means pretty much everyone needs education on the role they have to play

It’s an incredibly tough challenge, but we believe there are a few keys steps that NHS organisations can take to improve their approach to cybersecurity.

Smart investment in the right technologies – analysis following WannaCry revealed many NHS trusts were using obsolete systems, while others had failed to apply recent security updates which would have protected them. Reports suggest that around 90 per cent of NHS trusts in the UK were using Windows XP – a 16-year-old operating system – which was a major contributing factor in enabling the spread of the ransomware attack.

The incident raised awareness of the need for the NHS to modernise its approach to IT security and focus on protection from the inside out; this means investing more than the 10% of IT budget on security that it currently sets aside. To mitigate the immediate risks with cyber security, the government must work closely with the NHS to move from unsupported operating systems, including Windows XP, and focus on implementing a security-first culture.

Foster innovation and modernisation through skills investment – as well as investing in updated infrastructure, more needs to be done to address the skills needed to keep pace with increasingly sophisticated threats. The NHS needs to invest in its staff by identifying areas for improvement and providing them with the necessary training or support.

This could take the form of programmes that encourage innovation and best practice sharing to equip the workforce with the skills necessary to combat today’s threats, and funnel digital talent to where it is most needed.

Educate staff and public about their role in fighting the cyber threat – seeing over a million patients every 36 six hours makes the NHS an unbelievably fast-paced environment. It’s no surprise then that there is a certain amount of human error when it comes to the use of IT systems as part of the care process. Clicking on a dodgy link might seem like a trifling issue, but it’s enough to spread malware throughout an entire organisations’ IT environment. The NHS, as with any organisation, needs to highlight the role that its staff and even the patients play in helping it tackle the cyber threat. It needs to introduce better education campaigns for employees, as well as the wider public, to raise awareness of cybersecurity, from tactics used to key behaviours that can mitigate its impact. Part of this is introducing a more security-conscious culture where all NHS staff play their role in being vigilant against threats and acting accordingly so ensure that when a hack occurs, it can be tackled immediately.

There are many examples of brilliant innovation across the NHS, where Trusts are doing amazing things to protect our data in very difficult circumstances, with shrinking budgets. In order to restore confidence in the NHS’ ability to keep data safe and protect essential front-line services from being crippled by a cyberattack, investment needs to centre on protecting against threats known and unknown and making security a top priority.

By Tim Hearn, Director, UK Government and Public Services at VMware