NHS Digital, the organisation responsible for providing IT solutions to the UK's public healthcare sector, has said it will work more closely with the National Cyber Security Centre (NCSC) to improve the data security and privacy capabilities of the NHS' systems.
Speaking at the Cyber Security in Healthcare conference in London last month, chief operating officer at NHS Digital Rob Shaw said that while the security threats the NHS face are the same as for organisations in any other sector, the public body faces the additional challenge of providing security while keeping its priority on patient care.
Therefore, the sector needs a fresh approach that recognises that delivering IT solutions is not just about technology, but about protecting data. A key part of this is changing the attitudes and leadership culture to ensure that this is something that is kept in mind at every stage.
"We need a better culture [around cyber security] because it cannot just be something that is added on at the end," Mr Shaw said.
He added this is not something that NHS Digital can do alone, which is why it is working closely with NCSC to develop standards and make sure staff at all levels are educated about security.
One of the key challenges is that many cyber attacks aimed at the NHS are not especially technologically advanced, but instead rely on social engineering and exploiting human nature in order to gain access to private data.
For example, Mr Shaw highlighted one incident where a healthcare employee was tricked into opening an email that purported to have come from a contact, regarding a subject of common interest.
"When he clicked on the email it appeared to fail to open, but he had compromised his machine and it took two weeks before the compromise was detected," he explained.
Other challenges NHS Digital needs to address include moving away from outdated and unsupported software. For instance, Mr Shaw noted around 15 per cent of Windows installations within the NHS still run the XP operating system, despite the fact this is no longer supported by Microsoft and any new security holes will not be patched.
Fixing this is easier said than done, however, because in addition to the high costs involved with upgrading machines, there is the problem of migrating legacy applications that run on hardware that will not support more modern operating systems.