Cyber Attacks: A Fatal Threat to Healthcare

The digital age has brought unprecedented convenience, but with it, a shadow of peril. Cybercrime, once primarily a financial and data security concern, has escalated into a direct threat to human life, with the UK's National Health Service (NHS) now recording a patient death directly linked to a cyber attack. This grim milestone underscores a chilling reality: when hackers target essential services, the consequences can be catastrophic.

High-profile institutions like Heathrow Airport, Marks & Spencer, Jaguar Land Rover, and the British Library have all fallen victim to cyber intrusions in recent years, incurring significant financial losses and operational disruptions. However, these incidents, serious as they were, did not result in fatalities. The attack on NHS computer systems represents a stark and tragic departure.

In a deeply disturbing incident in June, King’s College Hospital NHS Foundation Trust confirmed that a patient "died unexpectedly" during a ransomware attack that crippled its services last year. While the trust reportedly did not pay the ransom, the investigation revealed that a "long wait for a blood test result due to the cyber attack impacting pathology services" was a contributing factor to the patient's death. This is believed to be the first recorded instance of an NHS patient dying directly due to cybercrime, a terrifying precedent that experts fear will not be the last.

Professor Alan Woodward, a cybersecurity specialist at the University of Surrey, warns, "It's inevitable that more lives will be lost if hackers hit essential services such as the NHS." He emphasises that these criminals are not constrained by ethical considerations, often choosing targets where urgency matters to force payment, regardless of the human cost.

The NHS faces an relentless barrage of cyber threats. Dr. Saira Ghafur, digital health lead at Imperial College London, notes a significant increase in attempted attacks since the COVID-19 pandemic, driven by the surge in digital health services globally. The IBM Cost of a Data Breach Report consistently highlights healthcare as the industry bearing the heaviest financial burden from cyberattacks, with hospitals globally facing an average cost of £5.5 million and a nine-month containment period per incident.

Previous major attacks on the NHS include the 2017 incident where nearly a third of England's NHS trusts were affected, leading to almost 7,000 cancelled appointments and an estimated £92 million in remediation costs. More recently, the 2024 breach, which led to the patient’s death, involved a Russian cybercrime group called Qilin targeting Synnovis, a pathology lab serving south east London hospitals. This attack disrupted over 10,000 appointments, caused five cases of "moderate harm," and 114 instances of "low harm." Additionally, in March 2024, an attack on NHS Dumfries & Galloway resulted in the theft and publication of up to 150,000 patients' private data on the dark web after the trust refused to pay a ransom.

Professor Woodward stresses the profound dependence of the NHS on IT systems, stating, "If computers become unavailable, the whole process grinds to a halt." A 2023 National Risk Register report echoed this, predicting that a significant cyber infiltration in half of the NHS network could affect the entire service, leading to immediate impacts on clinical care and patient harm. A 2024 study by the University of Minnesota further solidified these fears, finding that hospital mortality rates can jump by up to 41% during cyberattacks, estimating 68 to 75 patient deaths in US hospitals due to cybercrime between 2016 and 2021.

NHS England states it has invested £338 million in cybersecurity over the past seven years and operates a 24/7 Cyber Security Operations Centre. However, Professor Woodward likens the constant probing by criminals to "burglars going around rattling door handles – eventually they will find one that’s unlocked." He concludes, "It is inevitable that attackers will get through at some point, so the NHS has to plan for failure." The tragic loss of life highlights the urgent need for robust defense strategies, resilient recovery plans, and increased global collaboration to combat this escalating and deadly threat to healthcare.