Pushfor: The Next NHS Virus

by Dharmendra Patel @ Pushfor | 25th May 2017 3:03 pm

As the NHS continues to resume back to normality following the cyber-attack that resulted in around 20% of all NHS Trusts being affected, just how long will it be before this happens again on a larger scale.

The global response has been rapid to reduce the “Wannacry Virus” spreading but this incident has highlighted a major issue that no one is addressing. The “Human Naivety” is almost certainly the major contributing factor for the rapid spread of the virus. We live in a world where we are all used to receiving attachments by emails.  But, how can we expect ordinary people to be disciplined, when even the likes of Google and Facebook are now being caught by phishing email scams.

What this incident has highlighted is the human capital cost that the NHS has had to invest in. NHS staff are literally walking the corridors and manually updating PC’s before they can be signed off as safe.  It is incredible that in a world where security patches are now regularly released by Windows, the NHS is still completely reliant on its staff to ensure that patches are applied. This is not part of their job description or skill set.  Many employees would not even do this at home as most personal devices get their updates automatically. This manual approach to updating PC’s cannot be sustainable moving forward.

Now let’s move onto the subject of General Data Protection Regulator.  This is the most radical shake up of how personal data is managed in Europe and gives the Information Commissioners Office (ICO) new powers from the 25th May 2018. No one is even talking about this in the news today and this cyber attack highlights how vulnerable the NHS is to the risk of new punitive fines from the ICO.   Can NHS Trusts really afford to pay the fines as it will undoubtedly impact the care it can provide?.  The Prime Minister made a statement that “she did not believe patient data was compromised”.  But once GDPR is in force the regulation dictates that it is an obligation to ensure data is secure. In light of the cyber attack it is clear that the data is not secure if someone is able to prevent access to it.

In a world where ordinary people are so used to using cloud technologies like Facebook, What Apps, Twitter – quick, easy and effortless – why can’t the same principals apply to the way the NHS operates. It is blatantly clear that the use of personal devices has creeped into the organisation, as employees find new ways of being productive, so why not embrace them as a way of initiating behavioural change.  New “push” technologies are more secure, reduce the ability of malware entering an organisation and give organisations more visibility on how content is being consumed internally and externally. Storing data on local machines is no longer appropriate in the modern world and unfortunately this practice will continue until people have the confidence that their productivity is not going to be restricted.

As we all now try and predict the new cyber attack, spare a thought for something that is going to happen on the 25th May 2018. Unless the NHS starts to embrace this the stress on the system will only increase making them more and more vulnerable. It is simply not scalable to have staff walk the halls of the hospital upgrading PC’s with the latest security patches. Likewise it is unrealistic to expect staff to understand whether they are breaching GDPR regulations. Organisations need to make data governance easy for employees to understand and manage.  The starting point for this is recognising behavioural change will only happen if accompanied by the adoption of new technologies that we all use in our day to day lives.

Source URL: https://www.gdpr.associates/pushfor-next-nhs-virus/