False sense of security and weak passwords amongst NHS Staff
In May 2017, the NHS was attacked by ransomware (software that threatens to publish information unless a ransom is paid) which disabled computers and left clinicians unable to access patients’ medical records.
The attack affected one fifth of all NHS Trusts and meant that in some areas the public were warned not to attend A&E unless absolutely necessary, ambulances were diverted to alternative hospitals and 15,000 appointments were cancelled. The attack did not just affect desktop computers but also MRI machines as well as blood storage fridges and theatre equipment.
Prior to the attack, an internal report was carried out by NHS Digital’s Head of Security Functions Chris Flynn, who determined that there was a false sense of security amongst NHS workers and that good security policies were not being put into place on the ground. Several NHS Trusts were found not to have implemented security updates which enabled hackers to attack the NHS.
The leaked report highlighted a lack of secure passwords, with a quarter of personnel having passwords classified as very weak. In addition to this, the access granted to personnel is said to be too vast. Almost all NHS organisations give any member of personnel with a personal log in entry to private details, regardless of how short-term their placement within the team is.
In light of the report, the Labour party have instructed Jeremy Hunt to immediately assess cyber security across the NHS and to launch an independent inquiry into the ransomware attack. The Shadow Health Minister, Justin Madders MP, commented that the “damning briefing should be a wake-up call to the Health Secretary” and that the NHS remains at risk from future attacks. He continued to criticise cuts to the NHS and said that the attack was “yet another example of how insufficient funding is placing patient safety at risk”.
Despite all NHS Trusts being told to implement change following the large scale attack in May, NHS Lanarkshire was the victim of an alternative ransomware attack just last week (August 2017). Some procedures and appointments were cancelled as a result of the attack, which similarly to the WannaCry software used in May, demanded payment of hundreds of pounds via the virtual currency bitcoin. NHS Lanarkshire was one of the most greatly affected authorities in Scotland during the attack in May and so the repeat attack is extremely disappointing.The Chartered Institute for IT determined that a lack of accountability and investment in cyber-security was to blame for the May 2017 attack.
A solicitor in the Medical Negligence team at Ashtons Legal says “We all have a duty to ensure that both our personal and work data are safe, whether it be by ensuring that we use strong, unpredictable, passwords or not working on confidential documents in public. A second attack, following such a catastrophic impact earlier in the year, is frustrating and surely the Health Secretary does not need any further evidence to demonstrate the potential impact that such ‘small’ security breaches can cause. The looming introduction of European General Data Protection Regulation (GDPR) in May 2018 is causing all businesses to revaluate the way they handle data and it is imperative that a strong stance is taken across the board to all employees who do not contribute to the safety of personal data”.
Tags: Data Breach, Lawyers, Medical, Medical Negligence, Negligence, NHS, Ransomware, Solicitors
How can we help?
If you have an enquiry or you would like to find out more about our services, why not contact us?