• NHS Digital says NHS organisations were sent a patch two weeks ago which would have blocked the infection for most systems
  • National organisation says its figures show fewer than one in 20 NHS organisations have any computers running obsolete Windows XP

NHS Digital sent thousands of NHS IT staff a patch two weeks ago which would have saved some systems from Friday’s unprecedented cyber attack, HSJ has learnt.

National officials have also said for the first time that they believe less than one in 20 NHS organisations have computers running Windows XP - the old version of the operating system which some have blamed for the spread of the infection.

On Friday, dozens of NHS organisation were infected with ransomware virus, which encrypted data and demand payment within three days.

An NHS Digital spokeswoman told HSJ that a patch protecting against the ransomware had been available on NHS’s Digital cyber portal since 25 April. In addition, a link to the patch had been sent to NHS IT staff across the country on 27 April.

“Most organisation should have put that patch in place,” she said.

However, the patch would not have protected the many computers in the NHS still running Windows XP, a vulnerability that in a major report last year was highlighted as requiring urgent attention.

Amid growing criticism over the NHS’s reliance on Windows XP, seens as particularly vulnerable to attack, NHS Digital also said for the first time that its figures showed most trusts were no longer using the system. 

Latest figures showed only 4.7 per cent of NHS organisations still have computers or devices running Windows XP, NHS Digital said. 

This would suggest that at least some of the trusts infected did not apply the patch last month.

NHS’s ageing IT infrastructure has become a point of contention since the attack, with Labour today accusing the Government of ignoring earlier cyber security concerns.

There have also been concerns raised about the NHS devolving responsibility for updating and replacing Windows operating systems to individual NHS organisations in 2015, after declining to extend a nationwide £500m contract with Microsoft.  

In July last year, two national reports by government agencies, from the Care Quality Commission and another from National Data Guardian both highlighted concerns about the NHS’s reliance on obsolete tech, particularly Windows XP.

Since then, NHS Digital has warned there has been a growing frequency in ransomware attacks both on individual trusts and across the NHS secure network.

In May last year, the outgoing chairman of what is now NHS Digital, Kingsley Manning, warned the NHS was not taking cyber security seriously enough.

For NHS organisations still using Windows XP, today Microsoft took the unusual step of releasing a patch that protect the system against the ransomware attack.