Anderson: 'prepare for more viruses'

A well-known IT security expert has told E-health Insider that hospitals need to accept that viruses exist and has urged them to be better prepared for attacks.

Ross Anderson, Professor of Security Engineering at Cambridge University, told EHI: “Hospitals need to design systems on the understanding that viruses exist, just like hospitals are built on the knowledge that C. difficile and MRSA exist.”

He compared hospital systems without anti-virus protection to “surgeons in gardening clothes”, adding that just as protective clothing could help to prevent the spread of infections, anti-virus measures could help to prevent the spread of computer viruses.

Anderson, who is also a well-known critic of the National Programme for IT in the NHS, argued that it made all aspects of network security more important.

He said the programme was making medical records “instantly monetisable” by making them accessible at a national rather than a local level. He also warned that “the bad guys” would set up sophisticated hacking and social engineering operations to take advantage of this.

“At local level, the bad guys can access around 10,000 patient records, but there’s not a lot that they can do with that information unless they stumble across a celebrity’s record. On a national scale, anyone’s record is accessible instantly, which makes access very valuable,” he said.

Anderson’s comments were made after More4 News aired a mini documentary showing that more than 8,000 viruses infected NHS computers, monitors and other equipment last financial year, with at least 12 having a significant impact on patient care.

The programme referred to the Mytob worm attack that caused havoc at Barts and the London NHS Trust last November after it rapidly infected the trust’s 4,700 PCs. Earlier this year, EHI published the findings of an independent review of the attack, which found it was “entirely avoidable.”

The More4 documentary also detailed a more recent attack in Scotland, in which NHS Greater Glasgow and Clyde NHS Trust was struck by the Conficker virus. It froze staff out of computer systems for two days and led to 51 appointments and radiotherapy sessions being rescheduled.

A number of trusts admitted to More4News that their networks were attacked because anti-virus systems were turned off or not properly applied.

The documentary was based on Freedom of Information requests to which 75% of trusts responded, suggesting that the number of virus attacks last year could have been as high as 10,000.

Anderson argued the only way to improve security would be to make access to all medical records compartmentalised and localised. He said: “This means getting rid of the foolish dream of a single electronic record and having IT departments selecting their own localised systems.”

He said he believed this will be a theme of the forthcoming independent review of NHS IT that the Conservatives commissioned from Dr Glyn Hayes, which is due to be published in the next few weeks.

Link: More4 News coverage