NHS Needs 'Massive' Spending Increase To Prevent Cyber Attack, Expert Warns
20 June 2017, 13:56
A ''massive'' increase in spending is needed to prevent another ''avoidable'' cyber attack on NHS computer systems, an expert has warned.
Professor Bill Buchanan said the ransomware attack that hit 11 health boards as well as NHS National Services and the Scottish Ambulance Service last month should act as a ''wake-up call'' to government and health bosses.
The unprecedented attack, which hit scores of countries, impacted on acute hospital sites in Lanarkshire as well as GP surgeries, dental practices and other primary care centres around Scotland.
Holyrood's Health Committee heard the virus found its way into Scottish NHS systems through either their connection with the NHS England network or through the internet.
It was able to spread through computers that were vulnerable through a combination of their use of a particular piece of software that shares information between devices, a particular network firewall configuration and the fact they had not been upgraded or ''patched up'' to the latest version of Microsoft software.
Prof Buchanan, from the Cyber Academy at Edinburgh Napier University, said the penetration of the virus ''was avoidable'' and there was no excuse for the patch or upgrade not having been carried out.
He agreed with Green MSP Alison Johnstone that the incident should act as a ''wake-up call'' and called for a review of health and social care IT infrastructure.
He said: ''This was a critical patch, critical is the highest level. If you want to use something from Spinal Tap, this was an 11 out of 10 in terms of its threat.
''So, it should have been patched, it was well-known and it was a race for the industry to catch up with the patch before those with the skills to make something malicious turned their evil hands to something.
''I think we got out of this very well but it could happen that it would be much more severe.''
He added: ''Our systems are legacy and we need to admit that.
''I think we need a massive increase in spending not just on computers, but in really looking at healthcare services and how we provide that to the citizen.''
He warned the NHS faced much bigger threats such as a large-scale power outage which could result in ''the loss of lives in Scotland''.
Andy Robertson, director of IT at NHS National Services Scotland, said the health service had measures in place to protect against these types of threats.
He pointed out that the virus had infiltrated only 1% of NHS Scotland's computers, amounting to some 1,500 devices.
''We think our defences worked fairly well in terms of the impact it had on the health service and we think where we were breached we were able to recover as per our recovery plans,'' he said.
He said he agreed that extra investment was needed, suggesting a further £15 million a year on top of the £100 million currently spent on on centrally-managed IT programmes in the NHS.
That amount was described by Prof Buchanan as a ''sticking plaster''.
''I think you need to add zero and then maybe another zero,'' he said.