NHS ‘fragile’ in face of cyber attacks during pandemic, Chatham House warns

Chatham House security experts recommended that the government seeks help to protect the NHS, which could be ill-prepared to deal with the aftermath of a cyber attack.

The World Health Organization (WHO), US Department of Health and Human Services, and hospitals in Spain, France, and the Czech Republic have all been targeted with cyber attacks during the Covid-19 crisis. A successful attack in the Czech Republic shut down the entire IT network for a hospital with one of the country’s largest Covid-19 testing facilities. This forced the hospital to reschedule urgent surgeries and move patients to nearby hospitals, as well as delaying many test results.

Now, Chatham House is warning that strain on the NHS caused by the pandemic could make it vulnerable to cyber attacks, despite many security measures having been taken since the 2017 WannaCry ransomware attack disrupted the NHS and other organisations.

“Evidently, the NHS is stretched to breaking point; expecting it to be on top of its cyber security during these exceptionally challenging times is unrealistic,” said Joyce Hakmeh, senior research fellow at the think tank’s International Security Programme.

Following the enforcement of social distancing measures, many NHS staff are working with critical systems and patient records remotely, making much of the NHS’s work heavily reliant on secure and reliable IT networks. The pandemic has also forced some of the usual security processes to be side-stepped. For example, the national audit of NHS security and cyber resilience has been put on hold until at least September.

Hakmeh said that the NHS should go beyond bolstering its staff and equipment capacity, as cyber security is critical for ensuring that the NHS can continue its work. She suggested that the government could call on the private cyber-security sector for assistance during this time.

“Now is the time where innovative public-private partnerships on cyber security should be formed – similar to the economic package that the UK Chancellor has put in place to shore up the economy against the Covid-19 impact and the innovative thinking on ventilator production,” she wrote in a blog post. “The ways in which this support can be delivered can take different forms. The important thing is that it is mobilised swiftly.”

Neil Bennett, acting chief information security officer at NHS Digital, responded: “This is a time of unprecedented stress on the NHS, not least for the cyber-security and IT teams who are continuing to work hard in all NHS organisations to keep patient data and systems secure, to continue to deliver safe patient care.”

“Working closely with partner organisations such as the National Cyber Security Centre and NHSX, we have created a new programme of work to help tackle the challenges that Covid-19 has presented the health and care sector,” he continued. “This will support local organisations even further to identify and fix technical issues, provide resources where needed, enhance our threat intelligence and threat-hunting capabilities, and support the new field hospitals to set up their operations securely.”

“In addition, we are doing further work to protect Critical National Infrastructure assets […] and we are continuing to issue guidance to the sector on secure remote working, which we will continue to update as the threat landscape develops.”

According to Reuters, hacking attempts targeting the WHO have more than doubled since the beginning of the coronavirus pandemic. The news agency reports that some of the attacks were carried out by hackers working in the interests of the Iranian government. Four sources with knowledge of the matter said that phishing attacks had been directed at the personal email accounts of WHO staff, with details in the phishing attempt pointing to links with Tehran.