A lack of accountability and investment in cyber-security measures has been blamed for the recent Wannacry virus that hit NHS IT systems last month, a report released today by The Chartered Institute for IT has found.
The report comes following a similar, but more limited attack that hit UK based companies.
Whilst doing the best with the limited resources available, the report suggests some hospital IT teams lacked access to trained, registered and accountable cyber-security professionals with the power to assure hospital Boards that computer systems were fit for purpose.
The healthcare sector has struggled to keep pace with cyber-security best practice and with a systemic lack of investment, ultimately, the Wannacryy attack was an, ‘inevitability’, David Evans, Director of Community & Policy at The Chartered Institute for IT says.
Mr Evans continued: “Patients should be able to trust that hospital computer systems are as solid as the first-class doctors and nurses that make our NHS the envy of the world.
“Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the Wannacry ransomware virus was an inevitability, but with the roadmap we are releasing today, will make it less likely that such an attack will have the same impact in the future.”
The Chartered Institute of IT has joined forces with the Patient’s Association, the Royal College of Nursing, BT and Microsoft to produce a blueprint that outlines steps NHS trusts should take to avoid another crippling cyber-attack. Top of the list is ensuring there are clearly laid out standards for accrediting relevant IT professionals. NHS board are being urged to ensure they understand their responsibilities, and how to make use of registered cyber security experts. And the number of properly qualified and registered IT professionals needs to be increased.
Almost 50 NHS Trusts were hit last month by the Wannacry cyber-attack. It meant computers were encrypted and unusable in many areas of the health service, with hackers threatening that valuable files would be lost forever unless a ransom was paid. It led to operations and appointments being cancelled, and patients were still being diverted from accident and emergency departments six days later.