Fears of cyberattack as tender reveals NHS Highland web security ‘compromised’
The security of NHS Highland’s website is “compromised” and redevelopment of the platform “cannot be deferred any longer” – raising fears of a cyberattack, it has emerged.
The details came via a tender document published by the health board on the Public Contracts Scotland website.
It revealed the technical architecture of the organisation’s website has been considered “obsolete” and “largely un-editable by staff” since 2017, when its host platform – Microsoft’s SharePoint 2007 – was declared an unsupported ‘end of life product’.
Scottish Tory MSP Miles Briggs said it is “concerning” that the security issue has been published publicly. “They almost could be advertising themselves to be attacked,” he said.
A spokesperson for NHS Highland told Futurescot: “The NHS Highland website does not hold any sensitive information or link directly to other systems that might hold, for example, patient information.
“Security concerns are more centred around a potential disruption to service, for example in accessing the Near Me virtual appointment service, which could occur if the site were down. We have alternative arrangements we can put in place, should this happen.
“We take security very seriously and for that reason are keen to move to a more up to date web infrastructure which can be easily supported.”
They blamed the five-year delay to updating the website infrastructure “in part due to the redirection of resource towards the pandemic response”.
They added: “Between 2017 and 2020 there were a number of changes amongst senior managers at NHS Highland, including three changes of communications lead.
“This added to the timescales for preparing and processing a business case for the redevelopment of the website.”
The health board said it expects to award the tender in early March and begin the redevelopment soon after.
Briggs said: “I think people are using the pandemic as an excuse – but this is a long-running issue. Health boards haven’t taken this as seriously as they should. It is concerning that we’ve had that period where Highland haven’t invested in this issue to make sure that they weren’t in this position.”
He said the news was a sign that the public sector is “waking up to the threat of cyber attacks”.
The Lothian MSP has recently been campaigning to force ministers to be more transparent about which public sector organisations have been hit by cyberattacks, following a rise in cyber incidents from four in 2018 to 12 last year (up to October).
“Most organisations are living in an era where they’ve not necessarily invested in their IT and information security, and so they’re having to some extent start that process and start that investment,” he said.
“A lot of health boards haven’t made this a priority, and it is something they should be looking at, not just for security, but for how the world’s changing and people want to be able to embrace technologies.”
He said national investment is needed to support a “once for Scotland” approach to protect health boards and other organisations against cyber criminals.
“I would like to see the government show more leadership around this as well because it’s an important issue.
“It can sometimes be an expensive issue for health boards to build solutions. They might not have the skill set as well to do it within their department. And so I think there’s a need for national investment to take place as well.
“I think most health boards have so many other pressures that they just haven’t been able to [prioritise cybersecurity]. And to some extent, I think in the day-to-day running of a health board, this isn’t a priority – a lot of the time it’s waiting times, controlling finance, and the recruitment crisis.”
Briggs pointed out that other countries have invested in central systems which make it easier for organisations like health boards to collaborate and solve issues.
He said: “Estonia have built a sort of central spine to their systems so that all the health boards can communicate. We still don’t have that in Scotland, which is kind of ridiculous.”
According to the public contract notice, the NHS Highland website has existed in its current form for “over a decade” and “has long been viewed by the organisation as offering an outdated experience for service users, staff, and stakeholders; with knock-on effects for services and how NHS Highland is perceived”.
In May 2017, the WannaCry cyberattack cost the NHS a total of £92m through services lost during the attack and IT costs in the aftermath. The ransomware worked by causing 200,000 computers to lock out users with red-lettered error messages demanding Bitcoin, and was blamed on North Korean hackers.
In Scotland the same year another variant of malware infected NHS Lanarkshire systems, leading to some appointments and procedures being cancelled.
And in 2018 all 200 NHS trusts in England failed an inspection test for cyber security vulnerabilities.