NHS trusts are putting patients at risk by failing to satisfactorily encrypt online data, according to a major investigation.
The organisation Hacker House has discovered that there are serious flaws in NHS cybersecurity.
Hacker House is a team of computer hackers seeking innovation within the information security industry.
And the organisation was able to find misconfigured email servers, outdated software and security certificates, along with NHS trusts’ emails and passwords, with its experts uncovering numerous problems in the NHS system.
Jennifer Arcuri, co-founder of Hacker House, was rather scathing on the state of IT in the NHS.
“I would have to say that the security across the board was weak for many factors. Out of date SSLs, out of date software, it was very clear that you could bypass any number of these trusts just by doing the right recon online. So if I was an adversary looking to get into any of these trusts or take advantage or change, manipulate or send communications on behalf of a doctor, I could, just because the information was already there.”
Gary Colman, an NHS employee attached to the West Midlands Ambulance Service who conducts penetration testing of trusts, concurred to some extent, but also explained some of the difficulties involved in securing NHS data.
“It’s a game of cat and mouse to be honest. It’s ever-evolving. And trying to stay on top as both a hacker, an ethical hacker, but also from the point of view of NHS IT teams, is just a huge task. We find varying levels of IT security within the NHS, and local government as well. Some organisations are very very secure, others need a little more attention.”
However, Colman also outlined the ultimate potential cost of insecure NHS data, asserting that “At the end of the day if someone hacks into an NHS trust, somebody could die”.
A Department of Health spokesman expressed suitable concern about the efforts of Hackers House.
“We expect all parts of the NHS to take the threat of cybersecurity extremely seriously so that patient data is protected. We already have in place cybersecurity support services such as careCERT, and are continuing to take action with NHS Digital to enable Hospital Trusts to drive forward improvements in security where needed.”
IT systems in Lincolnshire and Devon have been targeted by hackers in recent weeks.
While hospitals in the US have been shut down by hackers demanding ransoms.
Investigations have also revealed that the number of personal data breaches in the NHS is showing an upward trend.