An expert on cyber security has warned that the Scottish government must spend significantly more if unavoidable cyber attacks on NHS computer systems are to be avoided.
The comments of Prof Bill Buchanan follow a ransomware attack on 11 health boards in Scotland last month.
This so-called WannaCry attack also impacted on computer systems worldwide.
Buchanan believes that this incident should be considered a wake-up call to the government and health authorities.
While ransomware is a serious issue, Buchanan also believes that the NHS faces bigger threats.
In particular, he points to the possibility of a large-scale power outage, which could cause loss of life.
Holyrood’s health committee inquiry into the ransomware attack discovered that the WannaCry virus found its way into Scottish NHS systems either through their connection with the NHS England network or through the internet.
There were also vulnerabilities in network firewall configurations, with some versions of Windows being utilised in the Scottish NHS not appropriately patched.
And Buchanan, from the Cyber Academy at Edinburgh Napier University, described the penetration of Scottish NHS systems as entirely avoidable, indicating his belief that the failure to execute patches and upgrades was inexcusable.
“This was a critical patch, critical is the highest level. If you want to use something from Spinal Tap, this was an 11 out of 10 in terms of its threat. So it should have been patched, it was well known and it was a race for the industry to catch up with the patch before those with the skills to make something malicious turned their evil hands to something,” Buchanan commented.
And the professor also suggested that a repeat of the ransomware situation, or another similar incident, could result in considerably worse outcomes.
“I think we got out of this very well but it could happen that it would be much more severe. Our systems are legacy and we need to admit that. I think we need a massive increase in spending not just on computers, but in really looking at healthcare services and how we provide that to the citizen.”
But Andy Robertson, director of IT at NHS National Services Scotland, defended the efforts of the authorities to deal with the WannaCry attack.
“We think our defences worked fairly well in terms of the impact it had on the health service and we think where we were breached we were able to recover as per our recovery plans,” Robertson asserted.
However, the director of IT also conceded that extra investment is a necessity, suggesting that £15 million annually could be a viable figure.
Yet Buchanan rubbished this assessment, asserting that “you need to add zero and then maybe another zero” in order to reach an acceptable level of expenditure.