The health and social care system has been rated as a significant target for cyber attack in the new version of the Government’s National Risk Register.
It identifies the sector as one of the prime targets for cyber attacks, along with the transport and communications sector and several elements of the national infrastructure.
Published by the Cabinet Office, the register is the external version of the National Security Risk Assessment and is aimed to increasing the level of transparency around how the Government sees various risks.
It says health and social care is a target for cyber criminals, with a worst case scenario involving system service disruption due to a rapid spreading of ransomware that could affect at least 50% of the estate.
Systems would become inaccessible and there would be a widespread compromise and loss of data, some of which would be unrecoverable. Impacts such as cancelled appointments and delayed procedures would be felt immediately and over time there would be more.
The effects could be more severe if a successful attack is designed specifically to disrupt NHS services, the report says.
Response recommendation
As a response, it advocates the availability of additional staff to handle paper records, the provision of clear information to responders and the public, and possibly third party IT support depending on the type and severity of the incident. The report points out that a Cyber Incident Response Retainer has been set up to cover key national systems and address the immediate impacts.
It also points to significant potential for disruption from an attack on the networks and systems supporting the transport sector, which could lead to critical services being out for days.
Similarly, an attack on a telecoms network provider could affect millions of customers with disruptions to broadband, landline and mobile services – and to the public emergency call service. Immediate disruption could last up to 72 hours but the effects could last for months, requiring a continency service to be put in place.
The document also flags up the cyber threat to elements of infrastructure such as gas and electricity supplies, the civil nuclear industry and fuel supplies.
