Your life in a hacker's hands

It is midnight in the intensive care ward. Suddenly, the alarm on a bank of monitoring equipment starts to ring. Mild panic as the resuscitation equipment is made ready. But miles away, a computer hacker changes his mind and cancels the alarm.

Cyber-fantasy? Not quite. Patients' lives, says the District Audit Service, are being put at the mercy of hackers because of weak security on hospital computer systems. In one case, a patient was almost given a lethal drug overdose after confidential data files were accessed and the dosage details altered. Only the intervention of an alert ward nurse prevented a disaster occurring.

In that near-fatal incident, a hospital staff member had gained unauthorised access to the patient's files from an internal computer site. But the auditors say that computer security at Britain's hospitals is so lax that external hackers could do the same.

The District Audit Service is so worried about the failure of hospitals to install effective security systems that it is now going public to force NHS trusts to improve. Hospitals are being asked to use new programs that will trace unauthorised entry into computer networks and help to plug security gaps.

Many of the security breaches are basic oversights: failure to use data tracking software or create security access levels according to file-types and passwords. But they show that health-care providers have little awareness of the hacker's potential for creating mayhem.

In another example uncovered by the auditors, a GP practice installed a terminal with access to a hospital network in a waiting room, and left it unsupervised. This would have allowed a hacker to corrupt patients' and other records. By the end of the year, about 90 per cent of GP practices will have network connections to health authorities or family health services authorities.

Demand within hospitals for access to the Internet is making computer systems especially vulnerable, with many users unaware that if you can dial out, a hacker can surf in. The problem is severe because hospital computer systems were, until recently, the responsibility of regional computer centres, but are now under the control of NHS trusts, which have often failed to recruit people with the experience or knowledge to install proper systems.

Glynis Rockett, a regional computer audit manager for the District Audit Service, predicts a worsening scenario as more hospitals link intensive care wards into computer networks. "It is one of my ultimate worries," she said. "Few hospitals have sufficiently advanced systems that they are linked, as yet, but the potential for disaster is that much greater. We are moving rapidly in that direction.

"If someone hacks into a financial system, the hospital will lose money and time. If you are able to corrupt the monitoring of patients' vital organs, you could kill people." Intensive-care equipment is increasingly being connected to hospital computer networks.

Ms Rockett said that with existing programs it was difficult to know how many hospital computer systems were being breached, because illicit entry was not being tracked. But a survey by the auditors found that security systems were open to corruption.

Three out of four hospital computer systems had inadequate password protection; a third were vulnerable to viruses; half did not protect their power supplies; none had adequate message-filtering systems; 65 per cent of hospitals with links to external computer systems did not have adequate security measures; and 80 per cent had not properly defined who should have access to computer records.

The disclosure by the District Audit Service reinforces warnings by Scotland Yard last November that hospital computer records could be breached. Police spoke out after perverts hacked into hospital records to obtain details on women undergoing gynaecological treatment, and then made malicious phone calls to them.

Local authority computer systems are also vulnerable to hacking, says the District Audit Service. Audits showed that private contractors working for councils had been able to access confidential computer files, potentially learning about housing benefit entitlement, rent arrears and names of vulnerable tenants. Contractors might also gain confidential information that would help them to submit tenders for council work. Social services client records have also been vulnerable to hacking.