Authored by Iain Pennell, Sector Leader at CriticalArc
Most people operating within the NHS on 12th May 2017 will remember how the world’s second-largest healthcare system was brought to a standstill by the WannaCry ransomware attack.
Although the NHS was not specifically targeted, this global cyber-attack affected hundreds of GP surgeries and hospitals across England and Scotland. It resulted in the cancellation of thousands of appointments and operations, in addition to the frantic relocation of patients from stricken emergency centres. Staff were even forced to revert to pen and paper and use their own mobile devices after the attack affected key systems such as telephones.
Now, imagine the repercussions if the WannaCry attack had also occurred as part of a co-ordinated, large-scale physical security breach on the NHS…
The importance of a combined approach to cyber and physical threats
Whilst the NHS has not been the victim of a major simultaneous cyber and physical attack to date, its increasing reliance on technology means such incidents are possible without the right security systems in place to prevent it. Cybersecurity and physical security were traditionally viewed as separate domains, but today’s threat landscape highlights how interconnected and mutually dependent they are.
A cyber-attack on critical NHS systems can have physical consequences, for instance, such as the disruption of power or other essential supplies that directly impact patients’ ability to receive treatment. Indeed, NHS trusts such as King’s College Hospital and Guy’s and St Thomas’ are still reeling from the June 2024 cyber-attack that knocked out pathology services across London. At the time of writing, blood testing was at a fraction of its former capacity, with only urgent and critical cases being processed.
Similarly, a physical breach such as unauthorised access to a server room in a hospital or other healthcare setting can lead to a cybersecurity threat by compromising sensitive data. The impact of this not only includes reduced patient care and reputational damage, but also financial loss in terms of restoring systems, reinforcing security measures, and footing potential fines from regulatory bodies for failing to adequately protect sensitive data and assets. In 2023, NHS Lanarkshire was penalised by the Information Commissioner’s Office (ICO) for the unauthorised use of WhatsApp to share patients’ personal data over the course of two years.
Recognising and addressing the overlaps between cybersecurity and physical security is essential for developing a holistic strategy that enables effective threat detection, swift response and enhanced risk management. This is where innovative technology like SafeZone® can bridge the gap and empower healthcare organisations like NHS trusts to proactively adapt and stay ahead of potential threats.
How SafeZone can support holistic safety and security within the NHS
Streamline response and co-ordination
Consider a scenario where the Chief Information Officer (CIO) at an NHS trust receives threat intelligence regarding a potential cyber-attack. In this instance, the SafeZone platform offers a secure and encrypted means of communicating with staff of the imminent threat at a much faster speed and greater scale than traditional methods. Indeed, SafeZone’s conditional automations enable organisations to tailor their mass communications according to specific user groups and their risk profiles, which can help to minimise the impact of an attack while enhancing agility and speed of response.
Maintain the integrity of user data and communications
Once NHS staff are informed about the attack, SafeZone can facilitate co-ordinated remediation efforts. Many healthcare organisations resort to WhatsApp or other social media platforms to communicate during and/or after an attack but this poses significant risks. As already highlighted with NHS Lanarkshire, data privacy is a major concern when sharing personal and identifiable information through channels like WhatsApp as it raises GDPR compliance issues. The data privacy risks associated with this are further underscored by the financial implications of misusing data. In 2023, for instance, Meta was fined a record $1.3 billion by the European Union (EU) for transferring personal user data to the US and breaching GDPR.
Furthermore, non-authorised messaging through WhatsApp can jeopardise critical incident evidence, as messages on these platforms can be edited and/or deleted, compromising the accuracy and integrity of vital information. This can prevent thorough and accurate assessments of how critical incidents were handled, resulting in missed opportunities for improvement. It can also mean failure to meet specific regulations under the Care Quality Commission (CQC) and the General Medical Council (GMC), which could lead to penalties, loss of accreditation or other legal repercussions. In contrast, SafeZone’s secure and encrypted platform ensures all communications are tamper-proof, maintaining data integrity for auditing purposes.
Unified defence against physical threats
Physical security within an NHS setting usually focuses on managing violence and aggression from patients and visitors to ensure a safe environment that promotes the best possible patient experience. Losing network access during a cyber-attack can inadvertently unlock controlled buildings, creating physical safety vulnerabilities across a healthcare site. SafeZone can support NHS trusts in mitigating and managing such scenarios by integrating IT and operational teams using the same infrastructure, thus facilitating a unified response.
Rapid return to business as usual
Once normal services are restored post-attack, SafeZone enables organisations to promptly inform staff that they can resume business as usual. By saving crucial time in these communications – especially before IT systems may be shut down or diverted to address an attack – NHS trusts can potentially save millions in restoration costs.
Preparing for the Cyber Security and Resilience Bill
As threats to both cyber and physical security continue to evolve, there is a critical need for robust solutions that help healthcare organisations stay ahead of the curve. Indeed, the UK government has already announced it will introduce the new Cyber Security and Resilience Bill to strengthen the country’s public sector cyber defences. This encompasses expanding the remit of existing regulation, putting regulators on a stronger footing to ensure cyber safety measures are being implemented, and mandating incident reporting for improved intel gathering on cyber-attacks.
By adopting a unified safety, security, wellbeing and emergency management solution like SafeZone, NHS trusts can enhance their response capabilities, protect sensitive information, and ensure the safety of their environments. What’s more, embracing a holistic approach to cybersecurity and physical security not only safeguards assets, but also fosters trust and confidence among staff and patients alike.