“Fool me once, shame on you,” goes the proverb. “Fool me twice, shame on me.” It’s a ready lesson for the UK’s National Health Service (NHS.) In August 2022 the organisation was severely impacted by a high-profile ransomware attack on one of its more aptly named third-party suppliers, Advanced Computer Software (ACS). Personal data belonging to 80,000 people was stolen, in addition to sensitive information on how to access the properties of 890 home care patients. More urgent, however, was the resulting outage of ACS’ Adastra system, used by 85% of NHS 111 services, and its Carenotes electronic patient record system relied upon by a dozen or so mental health and community trusts.
That attack alone should have proven a salutary lesson for the NHS’ IT strategists, one that should have been learned long before the Information Commissioner’s Office imposed a £3m fine on ACS last week. More effective protection of (or from) the NHS’s supply chain of third-party software providers might have prevented the ransomware attack on Synnovis last year. A pathology partnership between several London trusts and the private company SYNLAB, its breach by cybercriminals led to the disruption of vital haematology services.
The human cost for patients was, again, stark: at least two patients experienced permanent harm to their health, while more than 120 others reported various degrees of clinical harm. Clearly, something was fundamentally wrong with how the NHS was securing its network of third-party software suppliers. Indeed, in 2023 – slap-bang between both major incidents – NHS England’s CISO for Health and Care acknowledged that the service’s supply chain’s security posture was “15 to 20 years behind other sectors.”
Structural changes threaten to widen that gap. News of the abolition of NHS England and budget cuts for Integrated Care Boards (ICBs) has created uncertainty about the future of NHS cybersecurity leadership and funding. Meanwhile, acute trusts are being forced to scale back corporate spending, potentially reducing cybersecurity investments at a time when a focus on building resilience is most needed.
This uncertainty makes it even more critical for ICBs and trusts to remain focused on managing cyber risks. Addressing the persistent vulnerabilities in the NHS’s digital ecosystem requires a multi-faceted approach that prioritises proactive defence and resilience.
That starts by implementing basic cybersecurity measures. Multi-factor authentication must become standard practice across the NHS and its supply chain and extensive plans made around service continuity and the restoration of vital services in case these defences are overwhelmed. Additionally, the service must break its addiction to single points of service for software. Overreliance on just one or two providers clearly results in catastrophe, and as such, the NHS must urgently diversify its technology partnerships to avoid another Synnovis or ACS-scale breach.
The NHS must also reorganise how it coordinates cybersecurity strategies between its internal divisions and its third-party suppliers. In the case of the former, ICBs and Trusts must be given the autonomy and resources to address their specific cybersecurity risks. While a centralised NHS cybersecurity strategy should provide guidance, local leaders should have the flexibility to implement measures suited to their unique environments. Greater collaboration, too, is needed between NHS organisations, suppliers, and ‘the centre’. Continuous, dynamic risk assessments should be embedded into the NHS’s cybersecurity strategy to identify vulnerabilities in real time and address them proactively.
Finally, cybersecurity must be acknowledged as a critical component of patient care. It should not be a “grudge purchase.” Instead, it is fundamental to ensuring that patients receive safe, uninterrupted care in a digital healthcare environment. Investing in cybersecurity today is an investment in patient safety tomorrow.
Jonathan Lee is Trend Micro’s director of cyber strategy
Read more: Why we need cross-border unity for data centres amid a fractured world
