NHS will use white hat hackers to probe its own cyber defences

£20 million will be spent on new cyber security centre focusing on prevention rather than remediation

NHS Digital, the IT arm of the National Health Service, has secured a £20 million budget to spend on establishing a new cyber security centre, which will constantly scan for attacks and probe the organisation's own defences using ethical hackers.

The NHS will use the money to create ‘a national, near real-time monitoring and alerting service that covers the whole health and care system', said NHS Digital, with ‘extra specialist resources during peak periods'.

‘It will also allow us to improve our capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating known threats', the organisation added.

The NHS hopes that the new service will help it to avoid another WannaCry, even after it (hopefully) upgrades to more secure operating systems. The ransomware attack in May led to criticisms of the NHS's cyber security.

Oz Alashe, CEO of security training firm CybSafe, told us that the NHS is "a potential goldmine" for hackers: "Medical histories, personal information, and address details can easily be used to commit identity fraud and other financial crime. But as WannaCry proved, it's not only people's privacy on the line - in some cases, it's the institution's very ability to function. The operative damage that an attack against the NHS can cause means that the health service isn't simply a target for cybercrime - more worryingly, it's also a target for cyber espionage."

"Ethical hacking is a useful tool for preventing cyber-attacks by identifying potential attack vectors. Across the security landscape - the armed forces, police units, private military contractors, and private security - penetration testing is already ubiquitous and regarded as vital preparation for the unexpected. It's long overdue for the NHS to start doing the same."

The National Audit Office has said that the NHS didn't know how to respond to the ransomware attack, with confusion at a local level and communication breakdowns forcing a reliance on non-approved systems like WhatsApp.

Ian Levy, head of the National Cyber Security Centre, recently warned that it is "just a matter of time" before a Category 1 attack affects the UK's national infrastructure.

Alashe concluded: "It's worth remembering that the Wannacry attack...was just the tip of the iceberg. Cyber security problems affecting our national health service are systemic: in February, the NHS admitted it had lost half a million patient documents over the span of five years. In March, Bart's Hospital in London was incapacitated by malware, and in the same month, the personal details of thousands of Welsh NHS staff were stolen from a server run by a private contractor. In May, prior to WannaCry's release, NHS trusts were hit with numerous ransomware attacks which crippled hospitals in London, Nottingham, Cumbria and Hertfordshire."