Public Services > Healthcare

Survey: NHS IT leaders fear risk of patient harm from cyber hacking

David Bicknell Published 26 September 2017

VMware and Intel research says third of NHS IT decision makers say hackers have infiltrated electronic patient data; 38% say teams lack skills to improve cyber infrastructure and strategy


Research by VMWare and Intel has found that almost a third of IT decision makers in the NHS surveyed are certain NHS’ electronic patient data has been infiltrated by hackers. 80% of them are also sure electronic staff records have been compromised.

The survey, “Securing a new lifeline for the NHS”, reveals a growing threat to patient care and front-line services and sheds some light on the consequences of successful breaches.

Nearly two thirds of respondents (62%) fear attacks on equipment or facilities could result in patients coming to harm. Over a quarter (29%) have had to cancel or postpone appointments following an incident, while a quarter (26%) have had to halt a research project following an incident.

According to the survey, with £21m funding to help trusts defend against cyber-attacks such as WannaCry, 70% of respondents admitted more funds need to be spent and more done to address the skills needed to keep pace with increasingly sophisticated threats. Following an attack, 28% of respondents stated they had lost skilled staff, while 38% fear believe their team lacks the skills to improve cybersecurity infrastructure and strategy.

The study also suggests better education is required for staff and the public around cyber threats and hints at an insider threat. Although the IT leaders surveyed said that hacktivist groups (50%) and individual cyber-criminals (49%) are most likely to leak NHS data, NHS staff (32%) and patients (30%) themselves were also considered to be risks.

Tim Hearn, director, UK Government and Public Services, VMware said, “Across the NHS, there are many fantastic examples of IT leaders being incredibly innovative in embracing new technologies to defend their complex infrastructures against cyber-threats. But the NHS is facing an uphill battle in keeping patient data safe against a backdrop of more persistent and diverse threats which increasingly target applications, bypassing traditional security. It needs to modernise its approach and focus on protection from the inside out; this means investing more than the 10% of IT budget on security that it currently sets aside.”

“Its leaders are clearly saying two things – that the risk of data breach will have a significant negative impact on patients and the UK as a whole, and that they need more support, investment and skills in remaining secure. A huge part of this is introducing a ‘People, Process and Technology’ approach to security – ensuring that, as well as having the right technology in place, people receive the right training and education to help tackle the threat.”

David Houlding, director, healthcare privacy & security, Intel said: “Cybercriminals today are taking advantage of unpatched systems and unwitting employees with ransomware and phishing attacks, resulting in a record number of breaches worldwide. It is now more important than ever to comply with data protection laws and security standards, know the security posture of your organisation relative to the industry, and proactively remediate gaps to actively address security issues.”

The issues around cyber security in the NHS will be discussed at a session at the UK Health Show at Olympia tomorrow. The session, "How can we advance training and recruit new talent to build a cyber-security savvy workforce in the NHS?" takes place from 10.45-11.25.

With all Trusts now unable to ignore the people aspects associated with defending the NHS against future cyber-attacks, this panel will ask:

  • How is the government building on the momentum of its Cyber Essentials programme, through a fresh push to drive adoption and move beyond basic protection?
  • How can NHS staff and board members be effectively upskilled to understand key risks and manage cyber security?
  • To what extent is the NHS investing in and successfully recruiting new people to implement specialist cyber-security services?
  • How can the NHS actually improve the technology to protect users, as well as provide sufficient training?
  • Where do the big gaps still lie in establishing a cyber-security savvy workforce within the NHS?

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.