Skip to content

Ex security chief warns of future attacks

By by Guy Lynn and Stephen Menonguy_lynnBBC Investigations, London
Blavatnik School of Government A facial close up of Ciaran Martin looking directly into the lens of a camera. He has got white short hair and is wearing a white shirt underneath a navy suit. The background is blurred.Blavatnik School of Government

Ciaran Martin, former head of the National Cyber Security Centre said hack was “one of the most serious cyber incidents in British history”

A leading cybersecurity expert has warned that the NHS remains vulnerable to further cyber-attacks unless it updates its computer systems.

This stark assessment comes in the wake of a major ransomware attack that has severely disrupted healthcare services across London.

Prof Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre (NCSC), told the BBC: “I was horrified, but not completely surprised. Ransomware attacks on healthcare are a major global problem.”

NHS England said it was increasing its cybersecurity resilience and had invested £338m in the past seven years addressing this issue.

The outside of St Thomas' Hospital with the signage Welcome to St Thomas' Hospital outside the white brick or white tiled building.

St Thomas’ Hospital: Ground zero for one of the hospitals which suffered of Britain’s most severe cyber-attacks on healthcare

But Prof Martin’s warnings suggest more urgent action may be needed.

A recent British Medical Association report highlighted the NHS’s ageing IT infrastructure, revealing that doctors waste 13.5 million hours annually due to outdated systems – equivalent to 8,000 full-time medics’ time.

The 3 June cyber-attack, which Prof Martin described as one of the most serious in British history, targeted Synnovis, a pathology testing organisation, severely affecting services including at Guy’s, St Thomas’, King’s College and Evelina London Children’s Hospitals.

NHS England declared it a regional incident, resulting in 4,913 acute outpatient appointments and 1,391 operations postponed and major data security concerns.

The Russian-based hacking group Qilin, believed to be part of a Kremlin-protected cyber army, demanded a £40m ransom. When the NHS refused to pay, the group published stolen data on the dark web.

This incident reflects a growing trend of Russian cyber criminals targeting global healthcare systems.

The back of a server rack showing seven cables plugged into the rack which is blue with yellow/green lights above each cable.

Cutting-edge systems are crucial when protecting patient data from cyber criminals

Now a professor at the University of Oxford, Prof Martin highlighted three critical issues facing NHS cybersecurity: outdated IT systems, the need to identify vulnerable points, and the importance of basic security practices.

He warned: “In parts of the NHS estate, it’s quite clear that some of the IT is out of date.”

He stressed the importance of identifying “single points of failure” in the system and implementing better backups.

Prof Martin also emphasised that improving basic security measures could significantly hinder attackers, stating: “Those little things make the point of entry quite a lot harder for the thugs to get in.”

Emphasising the severity of the recent attack, he concluded: “It was obvious that this was going to be one of the most serious cyber incidents in British history because of the disruption to healthcare.”

‘Cybersecurity is costly’

Some front-line staff who spoke anonymously are very worried following the recent cyber attacks, with reference being made to outdated equipment they are using.

A senior intensive care doctor in London warned: “The NHS is vulnerable.

“It’s a patient safety issue, but there’s no interest in addressing it. People either don’t know or don’t want to hear about it.”

An A&E consultant in north London told us they were working with “decade-old computers and Windows 7” and that their systems crashed “every few months” while a junior doctor highlighted the risks of outdated equipment and privatization.

“Old computers pose a security risk for patient data. The Synnovis incident shows how vulnerable we are,” the doctor said.

A senior orthopaedic surgeon described the fragmented nature of NHS IT: “There’s no unified system. A patient’s X-ray in one hospital can’t be accessed in another.

“It’s shocking and worrying for cybersecurity.”

Another junior doctor added: “The NHS isn’t doing enough.

“Cybersecurity is costly, and our funding has been cut for over a decade.

“It’s incredibly frustrating.”

Person using multi-factor authorisation to access their computer. In the background there is a keyboard and computer screen which is black with green text on display.

Experts say basic security measures such as multi-factor authorisation (MFA) could thwart many cyber-attacks

Dr Daniel Gardham from the Surrey Centre for Cyber Security echoed Prof Martin’s concerns about outdated systems and their potential link to cyber-attacks.

“If you have old computers, then simply put, there’s going to be unpatched vulnerabilities,” he said.

“This means that there are ways in for attackers.”

Dr Gardham stressed that while sophisticated attacks did occur, many breaches result from basic security oversights.

“It could be something really, really, simple and actually most likely it is something very, very, simple.

“It would be one person, perhaps, that had a weak password or left their computer unattended in a cafe.

“A lot of cyber security attacks are not sophisticated.”

An NHS England spokesperson told the BBC: “We are increasing cyber resilience across the NHS and over £338 million has been invested over the past seven years to help keep health and care organisations as safe as possible.

“Our ambitious Cyber Improvement Programme will support the NHS to respond to the changing cyber threats, expand protection and reduce the risk of a successful attack.”