NHS in Scotland at risk of more cyber attacks warns expert

Scotland is lagging behind England in the creation of 'robust and dynamic' health service IT systems, a Holyrood inquiry into the recent cyber attack on the NHS has been warned.

Professor Bill Buchanan, of the Cyber Academy at Edinburgh Napier University, will appear before MSPs on Tuesday.
Professor Bill Buchanan, of the Cyber Academy at Edinburgh Napier University, will appear before MSPs on Tuesday.

Scots need to wake up to the reality that IT systems at the heart of modern life may be more vulnerable to attack then we think, according to leading Scots tech expert Professor Bill Buchanan, right.

MSPs on Holyrood’s health committee will stage a one-day probe next week into the recent cyber attacks which hit 11 of Scotland’s 14 territorial health boards.

Sign up to our Politics newsletter

The “ransomware” incident, which was linked to other IT attacks around the world, encrypted vital data on NHS computers and denied access to users unless a payment was made.

Prof Buchanan of the Cyber Academy at Edinburgh Napier University, who will appear before MSPs on Tuesday, has warned of the need for change in a submission to the committee.

“The main lesson we have learnt from the ransomware attack is that there is a complete under-investment in the delivery of an IT infrastructure in the NHS,” he said.

“The days of technicians plodding along with 
updates for desktop computers have gone, and centralised security policies and updates are a core part of most modern infrastructures.”

The academic has set out a range of recommendations for the NHS to tighten up its systems.

An “open review” of current systems could be put in place to understand the “critical points of failure”.

Investment should be focused on “dynamic, robust and secure” IT systems which can cope with “major threats” such as a sustained loss of power and malware infections.

He also suggests a “software patch” strategy which would see updates rolled out as serious threats are identified. Sensitive data could also be controlled through greater encryption and control access.

“It is now time to take stock of the current state of cyber security within healthcare, and look at new ways of improving the access to health and social care systems,” Prof Buchanan adds.

The aim should be to “allow data to flow, while minimising risks of data breaches and outages”.

He adds: “In general, Scotland seems to be behind England in the creation of a robust, modern and 
dynamic healthcare infrastructure.

“Overall there is a general lack of citizen access, with weaknesses around the integration of primary and secondary healthcare, along with a general lack of integration with social care.”