NHS Ransomware Attack Needs To Be A Wake Up Call For Government IT

For years the industry, and indeed Silicon, have been warning that an attack on our critical infrastructure was coming. On Friday it happened. And it could have been worse.

Cybersecurity has long been seen as a drag – something that organisations believe has to be endured rather than invested in. It’s not just technical capabilities, its culture too.

Threats are only going to multiply as we move more processes online and the world becomes increasingly connected. The Internet of Things (IoT) is evidence of that.

NHS security

But in the end it wasn’t even this new world of innovation which caused the problems. It was a non-targeted attack aimed at vulnerable Windows systems that hadn’t been patched or were no longer supported.

Initial research suggests WannaCry targeted an SMB vulnerability disclosed in the ShadowBroker leak of bugs known to the NSA. It was patched by Microsoft in March – two months ago – and only for supported Windows operating systems.

Any regular reader of Silicon will have been aware that support for Windows XP ended in 2014 and only organisations who purchased extended updates would be covered. The NHS reached a £5.5 million deal in 2014 for 12 months of additional updates but this was not renewed in 2015.

Back in December, it was reported that of 70 NHS trusts contacted, 48 were still using Windows XP. NHS Digital puts the figure at 4.7 percent of all systems in the NHS technological ecosystem.

This means several NHS Trusts have not applied updates or are still too reliant on XP. As many as 48 Trusts in England were impacted by WannaCry as well as 13 in Scotland.

Other organisations, such as Telefonica, will also have to address their security measures but as a public body and provider of an essential service, the NHS will be held to scrutiny. As will the government.

Windows XP

In its defence, the NHS says the number of Windows XP systems continues to fall and that some systems, such as MRI scanners, cannot be upgraded immediately. It also stresses that NHS Trusts will isolate vulnerable systems from the rest of the network and that so far there is no evidence that patient data has been compromised. Possibly because it has been encrypted?

But even still, if hundreds of thousands of NHS systems are still using XP – not matter how rapidly the figure falls – why on Earth was the government’s support agreement with Microsoft not extended?

Surely the cost of the incident has exceeded the £5.5 million it would have taken to arrange more support. After all, operations were cancelled, ambulances were redirected and staff were reduced to using pen and paper.

So much for the paperless NHS that is perpetually envisaged by ministers.

Home Secretary Amber Rudd has said most of the NHS is now “working normally”, that she hoped Trusts had backed up data and that the incident would encourage hospitals to upgrade to a new platform.

Rudd also pointed out the government’s £1.9 billion cybersecurity pledge but there needs to be action alongside rhetoric.

Funding has to be given to an NHS facing so many other problems and budget cuts and there has to be an acknowledgement among the organisation that the issue of cybersecurity cannot be ignored – no matter how pressed a Trust is.

The technology and cybersecurity industries can be accused of hyperbole, but Friday showed that its warnings cannot be ignored. And there may be worse to come.

Quiz: The triumph and the tragedy of public sector IT

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Uber Agrees To Support Minimum Wage In Australia

Uber reaches deal with federal transport union to support legislation over minimum pay for 'gig…

17 hours ago

Virtual Reality Sales Predicted To Take Off In Spite Of Economic Gloom

Market analysts see strong demand for virtual reality and augmented reality tech through 2026 in…

17 hours ago

Iran Steel Plants ‘Hit By Cyber-Attack’

Hacking group claims responsibility for reported attacks on several major Iranian steel plants, with one…

19 hours ago

US Says Private Investment Boosts EV Charger Manufacturing

US says private companies investing more than $700m to expand domestic electric vehicle charger manufacturing…

20 hours ago

Tencent Forms XR Unit In Metaverse Drive

China's most valuable company Tencent forms extended reality (XR) unit combining hardware and software as…

21 hours ago