Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
A cyber attack affecting thousands of UK NHS patients has helped trigger action by Sir Keir Starmer’s government to force private providers of essential public services to toughen protections against hackers.
Contractors will have to strengthen digital security under plans unveiled in the King’s Speech to tackle the growing vulnerability of digital “supply chains” that serve state institutions.
The June 3 ransomware hack by Russian group Qilin on the Synnovis public-private pathology joint venture has disrupted healthcare for thousands of people registered with big London hospitals.
It underscores the extra digital security risks in the increasing use of private service providers by the NHS, a policy of both Conservative and Labour governments.
“There is a huge gap in the system, as we don’t have a clear regulator for healthcare cyber security that will investigate the patient safety impact of cyber security incidents, monitor supplier behaviour and enforce punishments for non-compliance,” said Dr Saif Abed, a former NHS doctor and expert in cyber security and public health.
The big international IT outage on Friday that left most GP surgeries in England unable to access patient record systems, some hospitals having to work manually from paper, and some pharmacies unable to dispense vital medicines has highlighted the profound impact of disruption to digital services on the NHS.
Ministers this week proposed a cyber security and resilience bill in response to attacks by “criminals and state actors” on “hospitals, universities, local authorities, democratic institutions and government departments”.
The legislation aims to strengthen cyber security rules and reporting requirements spread at present between 12 regulators covering core infrastructure sectors and digital services such as online marketplaces.
Britain needed an “urgent update” to its rules so its infrastructure and economy were not “comparably more vulnerable” than those of EU counterparts, the government said. The bloc has launched its own upgrade of its cyber resilience regulations since the UK left in 2020.
If passed into law, the UK bill would toughen cyber safeguards and incident reporting requirements for private companies supplying public services. It would also resource regulators through “potential cost recovery mechanisms” and widen their powers to investigate potential cyber vulnerabilities.
Healthcare is a main focus of the UK move and a big target of hackers worldwide. The government has highlighted how the Synnovis hack in June has so far led to the postponement of 3,396 outpatient appointments and 1,255 elective procedures at King’s and Guy’s and St Thomas’s.
The incident made it “painfully clear how vulnerable parts of the health service are to attack”, one government official said.
“These attackers saw a weak link in the NHS supply line and ruthlessly exploited it,” the official added. “Digital suppliers need to have the same protections as the health service itself.”
Synnovis, which is 51 per cent owned by the international diagnostics business Synlab, said it welcomed all efforts to strengthen cyber defences and protect services against the activity of criminals and hostile actors.
It added that it had dedicated “every available resource” to containing the impact of the June 3 hack and rebuilding service capacity, and investigated the incident with the NHS and the National Cyber Security Centre, a branch of UK signals intelligence agency GCHQ.
The cyber security bill was a “definite step in the right direction” towards protecting healthcare, said Dr Saira Ghafur, lead for digital health at Imperial College London’s Institute of Global Health Innovation.
Important details still needed to be established, she added, including which regulator would oversee the new rules, how they would be implemented and what sanctions they would contain if companies failed to use adequate security.
“We need to be better at enforcing cyber standards on suppliers and taking punitive action when these standards are not being met,” Ghafur said. “We are only as strong as the weakest link — and we have seen the resulting damage to patient care when this has failed.”