IT expert Dr John Lockley, Clinical Lead for Informatics with the Bedfordshire Clinical Commissioning Group (CCG) in the UK, also believes healthcare providers need to factor in more elements alongside IT considerations.
In a presentation at the EHI Live event in Birmingham, entitled ‘A holistic view of healthcare cyber security’, he suggested it was wrong to think of IT in isolation: ‘We have to consider what IT interacts with – programmes interacting with patients, the paperwork, protocols, processes and pounds, as well. We need also to remember that people are involved and how they and their psychology work.’
This is not just about individuals falling for phishing emails and clicking on unauthorised websites, or hospitals installing advanced virus blockers and other firewall safeguards, but also in ensuring staff are adequately trained in how to respond to such threats. Additionally, personnel need the time, a robust infrastructure, and the correct hardware and software needed to carry out their roles correctly and safely.
Dr Lockley said that the National Health Service (NHS) often invests heavily in certain parts of the system but fails to guard against ‘back door’ attacks on the more vulnerable aspects of their IT.
He also warned that systems running unsupported software, such as Windows XP, were particularly vulnerable to attack and added: ‘My advice is for hospitals to spread resources carefully and thoughtfully in terms of cyber security and educate and train staff. That means having money available to buy in people to do the teaching and then giving staff the time to receive the training.’
Equally, hospitals should not go to the opposite extreme of having so many technical and procedural checks inserted into their systems that it prevents people from working efficiently. With NHS organisations now working more closely with local authorities, as health and social care come together, the health service need to ensure it is not left vulnerable when linking with outside bodies that have older, or more vulnerable, IT systems and equipment.
Cyber security needs board level priority and 24/7 IT team availabilityJohn Lockley
Health remains a prime target for hackers and the consequences of not adequately protecting data can be devastating, with patient and clinical information potentially lost, encrypted or even altered by hackers. ‘The first priority is, take regular backups; the second priority is to ensure that you’ve put in all the latest software patches; and the third element is to train the staff to think carefully about what they are doing and not automatically click on links of open documents just because they are there,’ Dr Lockley advised. ‘Cyber security also needs board level priority and it’s important to have the IT team available 24 hours a day to respond.’
Hospitals and healthcare providers also should be aware that it is not always straightforward to upgrade to the latest versions of software, because that may impact, or not be directly compatible, with other parts of the system. ‘Overall,’ he added, ‘when it comes to cyber security, hospitals should think holistically and not just about the software, or the hardware, but also remember to give ordinary front-line staff enough training in cybercrime awareness - and then give them enough time to put these defensive procedures into action.’
Dr John Lockley is the Clinical Lead for Informatics for Bedfordshire CCG (Clinical Commissioning Group), chair of SystmOne National User Group and a member of the eReferral Service Programme Board and Electronic Referral Advisory Board. He is also Deputy Chair of the Board of Bedfordshire and Hertfordshire LMCs Ltd and Chair of Beds and Herts LMC IM&T advisory group.