HSJ’s must read stories and talking points

Cyber aftermath

For most trusts hit, directly or otherwise, by Friday’s unprecedented ransomware attack the worst appears to be over. For now.

An unfortunate handful are continuing to suffer, with appointments and operations cancelled, IT systems still down, patient care disrupted. For the rest, there is time to reflect and prepare for likely future attacks.

Another major cyber attack on the NHS is nearly inevitable, but the disruption to patient care is not.

Much has been made of the NHS’s reliance on Windows XP, and how that left it open for attack.

cyber security

Cyber security

Source: ING Image

It is true that the NHS’s IT infrastructure has, and continues to be, underfunded. It is also true that long after support ended for XP in 2014, leaving it vulnerable to just these sorts of attacks, the NHS continued to rely heavily on the system.

However, in July two separate reports, from the CQC and National Data Guardian, made the dangers of the NHS reliance on obsolete technology abundantly clear. Since then, many trusts have moved off XP, or isolated ageing devices still using the system, such as scanners, from the rest of the trust’s network.

NHS Digital claims that of the 1.5 million computers and devices running Windows in the NHS, only 70,000 or 4.7 per cent are running XP. This is down from 18 per cent last year, the agency says.

While these remaining XP computers could have been the malware’s gateway into some trusts, if NHS Digital’s figures are correct, that is unlikely in most cases. 

Trusts failing to update security on more modern Windows operating systems, which is what is used on most NHS computers, probably played a bigger part in the malware spreading to a fifth of all trusts.

A software update protecting against this specific attack was available in March. On 27 April, NHS Digital urged more than 10,000 trust IT staff to apply the update. At this stage, on the face of it, it appears many did not do so.

While hundreds of other non-NHS organisation were infected globally, there is some speculation that organisations known to be vulnerable were targeted.

At the very least, central agencies and individual trusts will be looking much more closely at cyber security in effort to shake any impressions that the NHS is easy prey.

Whether this leds to more funding, from the roughly £1bn meant to be left in the “Paperless 2020” budget or elsewhere, remains to be seen.

Regardless, it should led to more oversight and senior management attention on cyber security, something that the NHS has been criticised for lacking in the past.

Ben Heather, HSJ technology correspondent