NHS Ransomware Attack Needs To Be A Wake Up Call For Government IT

For years the industry, and indeed Silicon, have been warning that an attack on our critical infrastructure was coming. On Friday it happened. And it could have been worse.

Cybersecurity has long been seen as a drag – something that organisations believe has to be endured rather than invested in. It’s not just technical capabilities, its culture too.

Threats are only going to multiply as we move more processes online and the world becomes increasingly connected. The Internet of Things (IoT) is evidence of that.

NHS security

But in the end it wasn’t even this new world of innovation which caused the problems. It was a non-targeted attack aimed at vulnerable Windows systems that hadn’t been patched or were no longer supported.

Initial research suggests WannaCry targeted an SMB vulnerability disclosed in the ShadowBroker leak of bugs known to the NSA. It was patched by Microsoft in March – two months ago – and only for supported Windows operating systems.

Any regular reader of Silicon will have been aware that support for Windows XP ended in 2014 and only organisations who purchased extended updates would be covered. The NHS reached a £5.5 million deal in 2014 for 12 months of additional updates but this was not renewed in 2015.

Back in December, it was reported that of 70 NHS trusts contacted, 48 were still using Windows XP. NHS Digital puts the figure at 4.7 percent of all systems in the NHS technological ecosystem.

This means several NHS Trusts have not applied updates or are still too reliant on XP. As many as 48 Trusts in England were impacted by WannaCry as well as 13 in Scotland.

Other organisations, such as Telefonica, will also have to address their security measures but as a public body and provider of an essential service, the NHS will be held to scrutiny. As will the government.

Windows XP

In its defence, the NHS says the number of Windows XP systems continues to fall and that some systems, such as MRI scanners, cannot be upgraded immediately. It also stresses that NHS Trusts will isolate vulnerable systems from the rest of the network and that so far there is no evidence that patient data has been compromised. Possibly because it has been encrypted?

But even still, if hundreds of thousands of NHS systems are still using XP – not matter how rapidly the figure falls – why on Earth was the government’s support agreement with Microsoft not extended?

Surely the cost of the incident has exceeded the £5.5 million it would have taken to arrange more support. After all, operations were cancelled, ambulances were redirected and staff were reduced to using pen and paper.

So much for the paperless NHS that is perpetually envisaged by ministers.

Home Secretary Amber Rudd has said most of the NHS is now “working normally”, that she hoped Trusts had backed up data and that the incident would encourage hospitals to upgrade to a new platform.

Rudd also pointed out the government’s £1.9 billion cybersecurity pledge but there needs to be action alongside rhetoric.

Funding has to be given to an NHS facing so many other problems and budget cuts and there has to be an acknowledgement among the organisation that the issue of cybersecurity cannot be ignored – no matter how pressed a Trust is.

The technology and cybersecurity industries can be accused of hyperbole, but Friday showed that its warnings cannot be ignored. And there may be worse to come.

Quiz: The triumph and the tragedy of public sector IT

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Generative AI Not Replacing UK Jobs, Study Finds

Study finds UK organisations broadly deploying generative AI to support existing jobs, but execs say…

6 hours ago

Google Must Face Trial In Ad Tech Monopoly Case

Google loses bid for summary judgement as judge says 'too many facts in dispute' as…

19 hours ago

Silicon In Focus Podcast: Feeding the Machine

Learn how your business can meet the challenges associated with managing data across multiple platforms…

20 hours ago

Apple, Meta Likely To Face EU Antitrust Charges

Apple, Facebook parent Meta reportedly likely to face EU antitrust charges before August under new…

20 hours ago

Adobe Shares Jump On AI Success

Adobe shares post biggest gains in more than four years after it reports user take-up…

20 hours ago

Winklevoss’ Gemini To Pay $50m In Crypto Fraud Settlement

Winklevoss twins' Gemini Trust to pay $50m to settle cypto fraud claims over failed Gemini…

21 hours ago