Invest in NHS cybersecurity or risk patient safety, study warns


A graphic of computer code and a padlock

New research highlights the challenges of cybersecurity in health systems.

The NHS’ lack of security preparedness and poorly defined responsibilities in the face of a cyber-attack leaves our health system at risk of major reputational and financial loss, according to new Imperial College London research.

Led by the College’s Institute of Global Health Innovation (IGHI), the case study also highlights how greater cyber-resilience in healthcare – not just in the UK but across the globe – is essential to mitigate potential threats to patient safety.

“The rise of digital technologies is a double-edged sword for healthcare systems,” said senior author and IGHI director Professor Ara Darzi.

“While we must embrace innovation in healthcare to drive positive transformation in systems and care, we need to recognise and urgently respond to vulnerabilities in the security of our systems. This is crucial to ensure the protection of patients and their medical information.”

Fragile systems

The drive towards digitalisation in healthcare holds great promise for catalysing improvements in the delivery, efficiency and quality of care. But as we become more dependent on technology, the susceptibility to cyber-attack becomes ever more present. Hackers can steal, delete or corrupt medical data, and intercept medical devices.

The reality of this situation is highlighted by a number of high-profile cybersecurity breaches, notably the WannaCry incident of 2017. This saw ransomware encrypt data and files on almost quarter of a million computers in 150 countries, with devastating consequences for NHS England.

In the face of such fragility, healthcare systems need evidence and recommendations to ensure the provision of effective cybersecurity. IGHI has partnered with Imperial’s Institute for Security Science and Technology to address this need.

In their new study, IGHI researchers alongside the College’s Vice Provost for Research and Enterprise, Nick Jennings, use the NHS as a case study to showcase the challenges and complexities of cybersecurity in health systems.

It’s more than just IT

Published in Lancet Digital Health, the work highlights how the NHS’ complicated organisational structure generates problems with defining accountability. This creates difficulties for frontline organisations to seek appropriate resources and help. The authors draw attention to the apparent non-existence of any catalogue to record all software and hardware used by the NHS, papering over cracks and making these weaknesses difficult to identify and rectify.

On top of these issues, the researchers address a historic “chronic underinvestment” in healthcare IT. Although WannaCry prompted an overdue boost in funds to upgrade NHS systems and tighten their security, limited budgets and competition for finite resources means that cybersecurity is often not prioritised, the authors say.

“The take home message is that we need to be more proactive and not reactive when it comes to cybersecurity in healthcare,” said lead author and IGHI’s Lead for Digital Health Dr Saira Ghafur.

“It needs to be much easier for frontline NHS organisations to have a clear sight of accountability in terms of what they need to do to ensure systems’ robustness in the face of a cyber threat.”

While greater investment in IT is essential, Ghafur added, so too is strong leadership to get cybersecurity higher on the agenda and promote understanding of its importance. Without these crucial steps, not only does this put vital NHS resources under threat, but it risks the safety of our healthcare.


Justine Alford

Justine Alford
Institute of Global Health Innovation

Click to expand or contract

Contact details

Tel: +44 (0)20 7594 1484

Show all stories by this author