Hacking threatens health

A cyberattack has hit London health services, leading to cancelled operations and delays to other essential treatment, possibly lasting for months. Cuts to NHS security budgets will increase the risk of further attacks.

The number of ransomware attacks on the IT services of our hospitals has been steadily growing. That has affected people’s lives and health. Yet resources for this necessary support to health services are not matching the risks.

Weakness

Cyberattacks might be considered as “normalised” for businesses and public services. But defence against these threats is not yet a normal part of every hospital’s risk management. Even when internal hospital systems are robust, and that’s not always the case, any aspect of the service which is outsourced to a private provider is a source of weakness.

This is what has happened in the most recent attack on London health services. Two hospital trusts were affected, along with primary-care providers in six London boroughs. The ransomware attack hit the outsourced provider Synnovis which processes around 100,000 blood tests each day.

Destructive

The impact has been destructive and the effects on patients significant. For the week of 3 to 9 June alone, Guy’s and St Thomas’ and King’s College Hospital NHS Foundation Trusts reported having to postpone 814 elective procedures, of which 97 were cancer treatments. At the same hospitals 18 organs for transplant could not be used and had to diverted for use elsewhere.

Professor Clive Kay, Chief Executive of King’s College Hospital NHS Foundation Trust, said, “The cyber-attack has had a significant impact on our services, and this is likely to remain the case for some time yet”. Estimates of the recovery time vary, but it could take up to three months. The number of postponed procedures will continue to grow.

On 21 June, the cyber criminals published some of the patient data online. Three days later NHS England confirmed that data had come from Synnovis.

Shortsighted

A new NHS England programme aimed at expanding cyber security was recently reported to have had its budget cut. The government trumpets spending on innovative technology. That’s fine, but it’s shortsighted to skimp on basic IT infrastructure.

The incoming government would do well to listen to the advice of existing NHS cyber security staff to reverse this cut as the alternative could be much more expensive.

Outsourced

• Pathologists who carry out testing used to be direct NHS employees. Most now work for outsourced companies like Synnovis, where a dispute about restructuring is brewing. Staff have criticised the move to a new central hub, which they say is not fit for purpose and leaves few pathologists on site at hospitals.

Synnovis won the lucrative 15 year contract for the testing services in 2020. It is a joint venture between the hospital trusts and Synlab, a German company, ultimately controlled by private equity. It has a complex history.

The trusts originally set up an earlier joint venture, Viapath, with outsource company Serco in 2009. When Viapath lost the contract in 2020, the trusts bought out Serco and went into partnership with Synlab. At the time, Unite described the procurement process as “murky”.