Poor cyber security at IT firms could put NHS data at risk

  • August 01, 2019

Private technology companies providing IT to the NHS need greater scrutiny over hacking threats to patient data amid “deficient” security monitoring.Technology firms storing patient on online databases could be targeted by hackers, a report into healthcare cyber security has warned, with several US health technology companies hit by cyber attacks and data breaches in recent years. The report from Imperial College London said there were warning signs in the US that healthcare cloud providers were failing to stop cyber attacks. 

“As of January 2019, 416 cases were investigated ... involving security breaches of health information, 47pc of which were caused by an IT incident or hacking,” the report said.

Cyber attacks on cloud data stores have already led to millions of patient records being leaked online, including a data breach of 12 million US patient records from a database used by medical technology firm Quest Diagnostics discovered earlier this year. Another company, LabCorp, also had 7.7m records compromised from the hacked database.

The report said the NHS had become “completely reliant on third parties to store and protect their data”. It said NHS systems offered “deficient monitoring” of third-party firms and changes were needed at NHS trusts to “continuously monitor” the security of IT vendors.

The warning for Britain's health service came as part of a report calling on the NHS to take urgent steps to protect patient data against hackers, with faulty or outdated IT systems and complex medical devices creating a risk to patient safety. NHS IT suppliers are increasingly turning to internet storage, the cloud, for their data systems. EMIS, a major NHS outsourcer, last year said it would move records of 40 million patients onto the cloud using Amazon's Web Services business. The Imperial College paper added there were few rules on emerging technologies, from artificial intelligence algorithms to robotics, to ensure safety is secured. Dr Saira Ghafur, a co-author of the paper, said new rules were needed to ensure tech start-ups and IT firms that worked with the NHS met a high standard for cyber security. “It’s just trying to make sure that we’ve got some kind of regulation in place that ensures these companies are taking security as a key issue, not leaving it as an afterthought,” she said. “This is not just an IT issue, this is a patient safety issue.” Professor Eerke Boiten, a cyber security expert at De Monfort University, told The Telegraph there were still concerns over how patient data was used by private companies. “Any story about data being made available to a start-up or in the cloud should cause alarm bells to go off,”