NHS to bolster IT security following cyber attacks

Government announces £150m investment in technology

Jeremy Hunt

The NHS is to spend £150m to improve its cyber defences following the chaos caused by the WannaCry virus last year.

The news that a new security contract has been drawn up with Microsoft comes amid warnings that hackers linked to Russia and other countries have been targeting Britain’s critical national infrastructure, including power networks.

The Department of Health and Social Care said the package would enhance security intelligence and give individual trusts the ability to detect threats, isolate infected machines, and kill malicious processes before they are able to spread.

This new technology will ensure the NHS can use the latest and most-resilient software available – something the public rightly expects

Health secretary, Jeremy Hunt, said: “We know cyber attacks are a growing threat, so it is vital our health and care organisations have secure systems that patients trust.

“We have been building the capability of NHS systems over a number of years, but there is always more to do to futureproof our NHS against this threat.

“This new technology will ensure the NHS can use the latest and most-resilient software available – something the public rightly expects.”

It comes almost a year after the global WannaCry cyber attack crippled parts of the NHS in May 2017, locking data on computers with demands for money.

At least 80 health trusts and 603 NHS organisations and GP practices were disrupted by the attack, which caused 20,000 hospital appointments and operations to be cancelled as ambulances were diverted from some A&Es.

A scathing report into the incident by the National Audit Office ruled the ‘unsophisticated’ attack could have been prevented if the NHS had followed basic IT security best practice.

And it was revealed that the Government was warned of the risk of cyber attacks a year before the incident and trusts were instructed to move away from outdated software like Windows XP as early as 2014.

The new security measures will ensure all health and care organisations can use the most up-to-date Windows 10 software with its latest security settings, and gives the Care Quality Commission (CQC) regulator new powers to inspect cyber and data security capabilities.

The £150m investment will be spread across three years.

As part of the move a new digital security operations centre is being set up to prevent, detect and respond to incidents.

There will also be £21m to upgrade protective firewalls and network infrastructure at major trauma centre hospitals and ambulance trusts; £39m to help trusts with infrastructure weaknesses; and a new a text messaging alert system that is able transmit information even if internet and email services are down.

We know cyber attacks are a growing threat, so it is vital our health and care organisations have secure systems that patients trust

Moving forward, all health and care organisations will also be required to meet 10 standards set for data security and protection toolkit.

Sarah Wilkinson, chief executive of NHS Digital, welcomed the announcement, saying: “The new Windows Operating System has a range of advanced security and identity protection features that will help us to keep NHS systems and data safe from attack.”

Companies