search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
CLINICAL ENGINEERING Lack of investment in NHS cybersecurity


Following an investigation, Sky News has claimed that NHS Trusts are ‘putting patients at risk’ by not protecting their data online. Sky News worked with security experts to find serious flaws in their cybersecurity, which could be easily exploited by relatively unskilled hackers. Hacker House was able to find misconfigured email servers, outdated software and security certificates, along with NHS Trusts’ emails and passwords, through public searches.


The report also stated that seven


NHS Trusts, serving more than two million people, spent nothing on cybersecurity in 2015. A Freedom of Information request found that:


using medical device test software – and they will need to have an asset register of all the software and devices on the IT network. Peter Smithson advised that Trusts can protect themselves by isolating medical devices inside a secure network zone and protecting this zone with an internal firewall that will only allow access to specific services and IP addresses. They should implement strategies to review and remediate medical devices; rapidly integrate and deploy software and hardware fixes provided by the manufacturers of medical devices; and ensure that devices are procured from


Tim Jarrett, from Veracode, an expert in security solutions, commented: “This investigation reveals inconsistencies in cyber defences within the National Health


suppliers only after a review with the manufacturer focusing on the cyber-security processes and protections.


Access to medical devices needs to be managed, especially through USB ports, while there also needs to be a strategy for managing the end of life of medical devices. He added that medical device supplier contracts need to be updated to cover support and maintenance, specifically addressing malware remediation, while Trusts should favour medical device suppliers that use techniques, such as digitally signed software and encryption of all internal data,


l The average annual spend for an NHS Trust was £23,040, but six Trusts spent at least £100,000.


l Forty-five NHS Trusts were unable to specify their cybersecurity budget at all.


l The investigation also revealed that Trusts are suffering an increasing amount of personal data breaches, from 3,133 in 2014 to 4,177 last year, and that cyber incidents are accounting for more breaches, from eight in 2014 to 60 last year.


Service as well as a troubling increase in the number of personal data breaches which could compromise patient security. It is time for the health sector to wake up and recognise that its goldmine of data will soon come under constant attack on a similar scale to what we have already seen in the financial services sector. “As the NHS begins to implement its paperless healthcare strategy, it must also increase cyber security procedures to protect digital documents and data. This means making implementation of encryption technology alongside rigorous testing of all applications for vulnerabilities a top priority to keep hackers and cyber criminals locked out.”


with passwords that can be modified and reset. When a device is selected, information security teams should have the ability to test and evaluate suppliers independent of the acquiring department. In addition, Trusts should use technology that is designed to identify malware and persistent attack vectors which may have already bypassed its primary defences. Ultimately, Peter Smithson pointed out that there are significant benefits to the increasing connectivity of medical devices and digitalisation of healthcare – from faster access to diagnostic results and telemedicine, to wellness tracking. However, there are also risks. “It is a ticking time-bomb and we need to be prepared,” he concluded. CSJ


References


1 ‘MEDJACK 2: Old malware used in new medical device hijacking attacks to breach hospitals’, Network World, 27 June 2016)


2 Press release, 27 Jun 2016, ‘TrapX Labs discovers new medical hijack attacks targeting hospital devices’, accessed at: http://trapx.com/trapx- labs-discovers-new-medical-hijack-attacks- targeting-hospital-devices-2/


NPAG Clinical Engineering Conference


Chaired by Richard Steventon, NPAG North and South clinical engineering facilitator, NPAG’s Clinical Engineering Conference took place 13 September 2016, at the Holiday Inn, Stratford-Upon-Avon. The event covered a wide variety of topical areas for discussion, including presentations on: l ‘Medical devices and IT Networks: what are the issue and how can medical physics help?’ Patrick Maw, UCLH NHS Foundation Trust.


l Cyber security of networked medical devices, Peter Smithson, CliniBizTech Solutions (www.clinibiztechsolutions.co.uk) l ‘Medical equipment management


FEBRUARY 2017


and the DH GS1 adoption strategy’, David Weatherby, GS1 UK.


l Through the keyhole: human factors and the imaging chain’, Tristan Williams, Karl Storz Endoscopy (UK).


l ‘Regulation of clinical technologists?’ Andy Mosson, renal technical manager, Churchill Hospital, Oxford.


l GMDN for clinical engineering, Edward Glenn, GMDN Agency.


l MHRA update and MDSO status, Dr Louise Mulroy, MHRA.


For details of events in 2017, visit: www.npag.org.uk


3 TrapX, Anatomy of an Attack – Medical Device Hijack 2, June 2016, http://deceive.trapx.com/ WPMEDJACK.2_210LandingPage.html


4 Rene Millman, ‘Nearly 1,500 vulnerabilities found in automated medical equipment’, SC Magazine, 31 March 2016. Accessed at: https://www.scmagazine.com/nearly-1500- vulnerabilities-found-in-automated-medical- equipment/article/528708/


5 Rene Millman, ‘Anti-virus software stops surgery to scan medical monitor for malware’, SC Magazine, 11 May 2016, Accessed at: http:// www.scmagazineuk.com/anti-virus-software- stops-surgery-to-scan-medical-monitor-for- malware/article/495664/


6 Data reported by Accellion, cited by Max Metzger, ‘NHS all-mobile no-paper system has ‘alarming’ lack of cyber-security’, SC Magazine 10 December 2015, accessed at: http://www.scmagazineuk.com/ nhs-all-mobile-no-paper-system-has-alarming- lack-of-cyber-security/article/458958/


WWW.CLINICALSERVICESJOURNAL.COM I 21


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64