Having experienced the destruction of the WannaCry attack, National Health Service (NHS) underscores the importance of building up cyberdefences and ensuring the leadership team recognises cybersecurity as a top priority. Healthcare service providers also need to be proactive and think about where threats may come from next.
These were the three key lessons the UK healthcare agency gained from the ransomware attack in 2017, which brought down the systems of businesses and hospitals worldwide including at least 45 NHS organisations.
"You have to keep building your defences and invest in building your defences. And you have to get [the] management and leadership [teams] to understand its importance [of doing so]," said NHS Digital Chairman Noel Gordon, in an interview with ZDNet. "There are risks and they have to make it a top priority for hospitals to keep their defences up-to-date."
Stressing the need to also be proactive in thinking about potential threats, Gordon said NHS implemented several cybersecurity measures across the healthcare group in the aftermath of WannaCry, in order to improve its resilience.
"Every organisation has to take the risks seriously and be very vigilant because it can happen anytime, anywhere," he said. "That's what I would share with Singapore: keep building your defences, get your leadership to take it seriously, and be proactive constantly."
The NHS executive was responding to questions about how Singapore should move forward following a spate of healthcare-related security breaches, including one involving SingHealth that compromised the data of 1.5 million patients.
On its part, NHS spent £20 million (US$25.85 million) setting up a security operations centre to safeguard hospitals against cyber attacks and carry out various tasks, including vulnerability testing and malware analysis. It also would monitor NHS national systems and systems as well as ensure NHS organisations observed best practices.
Its digital team, which is responsible for the group's IT systems, comprises some 3,000 employees including between 100 and 150 cybersecurity specialists. Each hospital also has its own CIO and security team.
Tapping data to improve healthcare
NHS has spent the last seven years deploying its digitisation strategy and recently kicked off a new 10-year plan that puts s stronger focus on prevention and wellness and includes tools such as the NHS app, which helps patients manage their ailments.
The national health service previously had not used technology extensively, traditionally focusing its adoption on primary care with limited technology application in secondary and tertiary healthcare, Gordon noted. In its digital transformation, NHS structured its technology roadmap around five areas: empowering patients; hospital digitisation; tapping technology to bring together primary, secondary, and tertiary care; using data to manage health systems more effectively; and using digital tools to build a robust life sciences industry.
It had a government-funded budget of £4.7 billion (US$6.07 billion) over five years spanning 2015 to 2020.
It currently is looking to build a database of digital health records to enable patients to view their conditions in primary and secondary care, such as the drugs they are taking, their previous diagnosis and treatment, and the next steps they need to take.
In addition, it is aiming to accelerate the digitisation of hospitals or EMR (electronic medical records). Some 20 hospitals currently "almost paper-free and almost completely digital", but there are another 150 hospitals under NHS that still are going through this process, according to Gordon.
He estimated that it would take more than 10 years for the entire hospital ecosystem to be fully digitised. "But we have started that process and have learned a lot of lessons on how to carry out hospital digitisation successfully," he said.
It also puts emphasis on checks and balances. The NHS app, for instance, offers more than 100 apps in its library, all of which are approved and certified by the group even though these had been developed by the private sector, he noted.
Pointing to the importance of providing guidelines to third-party developers, he said NHS issued an artificial intelligence (AI) code of conduct stipulating rules that apps, which used AI, should conform to in order to increase their chances of being certified and included in the NHS app.
Gordon explained: "So there's transparency in the algorithm, how data is used, where data is going, and how an audit trail should be established around the app. Rather than regulate AI in healthcare, we decided to go with an advisory code of conduct first and hope the marketplace will adopt.
"Legislations always is the last resort. It's easier to incentivise [the right behaviour]," he said, adding that all major AI app developers had agreed to observe the code of conduct.
Looking ahead, Gordon said AI, analytics, and 5G offered opportunities to drive the "Internet of Health Things". For instance, he said, AI could be used in radiology or image analysis to detect cancer and other diseases. Analytics also could reveal valuable learnings on population health management and local disease risks, he added.
Healthcare organisations in Asia-Pacific can incur economic losses of up to US$23.3 million from cybersecurity incidents, though, 45 percent have either experienced or are not even sure if they have experienced a cyber attack.
Digital transformation can help the NHS make better use of scarce resources. That means rethinking some of the assumptions around healthcare.
Hackers that compromised the data of 1.5 million healthcare patients have been identified as a group that launched attacks against several organisations based in Singapore, including multinational firms with operations in the country, and is likely part of a larger operation targeting other countries and regions.
SingHealth and Singapore's public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country's personal data protection act. The fines are the highest dished out to date.
Following a spate of data breaches affecting healthcare patients in Singapore, another lapse has occurred. A server containing personal information of 808,201 blood donors was not properly secured by a third-party vendor, potentially exposing data such as blood type and national identification number.