Hackers can make your pacemaker or your insulin pump kill you – and the NHS needs to respond to that threat

Sign up for the View from Westminster email for expert analysis straight to your inbox

Get our free View from Westminster email

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

In one sense we can be grateful to the hackers who launched the WannaCry virus which led to one of the most devastating cyber attacks on the NHS to date. It proved that cyber-security is not just about keeping data safe. It is about keeping patients safe.

This is often missing from discussions about cyber-security. The investigation by the National Audit Office, published on Friday, revealed that the NHS was much harder hit than at first thought, with more than one in three NHS trusts affected, 19,000 appointments cancelled and almost 600 GP practices disrupted.

It could have been worse. If the attack had happened on a Monday at the start of the week rather than, as it happened, on a Friday, far more patients would have been affected. It was only stopped when 22-year-old cyber-security researcher Marcus Hutchins stumbled on a “kill switch” which he activated from his bedroom in Devon, disabling the virus.

It was not the first time the NHS has succumbed to an attack – and it will not be the last. Hundreds of operations and outpatient appointments were cancelled across Lincolnshire in 2016 after the local NHS trust fell victim to a virus.

Freedom of Information requests to NHS trusts in 2015-16 revealed that as many as half were hit by ransomware in the preceding year. And this week hackers targeted the London Bridge Plastic Surgery clinic and its celebrity client list and threatened to release photos of the procedures undertaken.

Healthcare is one of the most targeted sectors globally by cyber-criminals for two simple reasons: it is a rich source of data and a soft target. Medical records are worth more than credit card details on the dark web because they contain personal identifying details that can be used to open bank accounts, obtain loans or acquire a passport. A credit card can be replaced but a birth date cannot be reset. In 2015, criminals stole 80m records from Anthem, a US health insurance company, with a market value estimated at $1 billion.

Even so, the danger posed by hackers can seem remote, until you consider their potential to target medical equipment. In 2013, former US vice president Dick Cheney revealed that his doctor had ordered the wi-fi functionality of his cardiac pacemaker disabled owing to fears it might be hacked in an assassination attempt. These fears were cemented last August when the US Food and Drugs Administration ordered the recall of six types of cardiac pacemaker implanted in 465,000 people because of risks hackers could run the batteries down or alter the patient’s heartbeat.

So far, attacks on healthcare have been principally for financial gain. But we have to face the prospect that they could, intentionally or otherwise, cause direct, physical harm – say by altering blood groups or test results.

One well-known US hacker called Barnaby Jack has demonstrated how an insulin pump could be hacked remotely to deliver a lethal dose of the hormone. As wireless and implantable devices become more widespread – from Fitbits to deep brain stimulators – the risk is bound to grow.

The NAO report criticises the Department of Health, saying it knew of the risks but failed to heed the warnings. Yet the health service faces unique challenges. Healthcare is fragmented – there are lots of systems and lots of users. For security it needs to restrict access, but for safety it needs to enable it. A typical NHS trust will have thousands more IT accounts than employees, to provide the locums, agency staff and temporary workers with the computer access they need to allow them to do their jobs. The NHS is one of the hardest organisations to protect.

But the way we have failed to protect our medical data is symptomatic of a wider malaise – our failure to value it. The NHS has a unique store of millions of medical records providing an unparalleled resource from which, with the use of digital techniques, we may speed progress to the next breakthroughs in medical science and transform care.

One of the alarming findings of the NAO investigation was that when the cyber attack struck, no one knew who was in charge. We need digital leaders in every trust who can spearhead the development of the digital NHS, ensuring it is proritised, protected and fit for the 21^st century.

At the Institute of Global Health Innovation, which I lead, we have established the first NHS Digital Academy, commissioned by NHS England, which will begin training aspiring digital leaders from across the country in April 2018, with our partners the University of Edinburgh, Harvard Medical School and Imperial College Healthcare NHS Trust.

The development of the digital NHS holds huge potential. To achieve it, however, we must build and sustain public trust – trust that risks being undermined if NHS organisations are seen to be vulnerable to cyber attack. Secure systems are vital or we risk squandering the enormous gains the digital revolution could bring.

Professor the Lord Darzi of Denham, OM, is a surgeon and director of the Institute of Global Health Innovation. He was a Labour health minister from 2007-9