By Weizi Vicky Li, Informatics Research Centre, Henley Business School

With healthcare service scopes expanding, healthcare processes changing and technologies evolving over time, many systems need improvement or they become vulnerable to cyber-attacks. This is especially true in hospitals, where most legacy systems provide critical  information and essential support for business operations with a lot of sensitive data.

Information systems and intranet/internet have been implemented in NHS hospitals for more than 30 years. Early systems implemented in the NHS include Patient Administration System, GP systems, Pathology laboratory systems, radiology and PACS systems, nursing and care planning systems, theatre systems etc.

The threats lie in the fact that many of the legacy systems have long been integrated into the core business and healthcare service processes, and therefore cannot be simply scrapped. In short, those legacy systems are valuable as well as vulnerable.

The attack should clearly prompt a rethink about the future use of information systems in large organisations such as NHS, especially with the increasing reliance on big data analytics and artificial intelligence in the future. Therefore, apart from routine software maintenance such as keeping IT systems up-to-date and improving staff cyber security awareness, actions should also involve coarser-grained, higher level and system structural changes (re-architect) which can be realised through a combination of renovation activities from both bottom-up and top-down.

While the former approach reconstructs the system design by analysing the source code (e.g. software patch), the top-down methods examine the cyber security of legacy systems within an operating context. A modularised system architecture design that further ‘encapsulates’ legacy systems could be a way of modernising and protecting NHS systems, as well as preserving the original system investment and retaining the ability to scale up in the future.