An investigation by More4 News found that more than 8,000 viruses got through security systems, with 12 incidents impacting on patient care on computers analysed. The investigation requested information from every NHS trust in England to find out how many of their systems had allowed a computer virus to penetrate their network, with 75 per cent responding.
A number of trusts admitted in official reports and to More4 News that their networks were attacked because anti-virus systems were turned off or not properly applied. The viruses that More4 News found are also being used by hackers to steal personal information.
Last November the Mytob worm spread through three major London hospitals and overloaded networks, impacting services including accessing blood tests, X-ray and patient administration. The independent report into the incident at Barts and the Royal London concluded it was entirely avoidable.
In a statement to More4 News, the NHS said: "Electronic patient records systems are protected by the highest levels of access controls and other security measures. These levels of security are far higher than any which can be imposed on access to paper records or the majority of local NHS IT solutions."
Andrew Clarke, senior vice president, international at Lumension, said: “It is important to note that the NHS hasn't stood still for the last six months when it comes to updating its security defences. We've seen various NHS organisations, including NHS Scotland, looking for new security solutions to address both emerging threats and enforce data protection.
“It is now widely acknowledged that relying on an anti-virus only approach to security is inadequate defence. Although it still plays a role in helping to protect against the latest known security outbreaks, it is not able to defend against emerging threats on its own. After all, it is a reactive approach to security that relies on the application of thousands of security signatures before an outbreak occurs.”
Clarke advised supplementing AV protection with a whitelisting and taking a proactive approach to security to control applications.