Saturday, 20 May 2017

The Computer Says No

Who could have failed not to notice that the NHS was the victim of a cyber attack, last weekend? It was been splashed across our media that 40 NHS organisations and many GP practices were hit by this cyber attack (1).

The story broke on last Friday (12th May), ransomware hit computers worldwide, ransomware encrypts (locks down) all the files on a computer and the hackers demand a ransom payment to unlock it, in this case it £230, but that payment was demanded for each computer not just for one organisation. The ransomware used a weakness in the Windows XP operating system at attack these computers (2), meaning older computers using this old operating system were more vulnerable.

Very quickly, over the weekend, our newspapers pointed the finger of blame, and it wasn’t at the hackers who created this ransomware. The Daily Mail quickly blamed managers for ignoring “warnings” (3). The Times claimed that failings in the NHS allowed the hackers to “walk in” (4). The Sun too blamed the NHS for being the victim of this attack and claimed patients’ record were in danger (5). Everywhere there were stories about the patient misery this cyber attack caused.

Amber Rudd, the Home Secretary, on Sunday, also pointed the finger at the NHS. She said the NHS “must learn” from this attack, and claimed that Jeremy Hunt (Health Secretary) had already instructed NHS trusts not to use Windows XP (6).

From reading all these reports you could be forgiven for thinking that this cyber attack only affected NHS computers, but that isn’t true. This cyber attack affected 200,000 victims in 150 different countries (7). Those affected by it included the Spanish telecommunications giant Telef√≥nica, who owns the O2 network (8), Deutsche Bahn, Germany’s national railway service,  French carmaker Renault, a local authority in Sweden (9), and the Nissan car plant in Sunderland (10). I didn’t notice the tabloids or our government waging their fingers of blame at any of these companies or organisations.

But why was the NHS so vulnerable to this cyber attack?

Support for Windows XP ended on the 8th April 2014 (11). Basically, Microsoft no longer issues up dates for it, updates that could protect against this sort of attack. Now the NHS had an agreement with Microsoft, it would pay Microsoft a flat fee, each year, and Microsoft would provide the software the NHS needed and keep it updated (12). In 2010, shortly after the Conservatives came back into government, in coalition, that agreement was suddenly cancelled (12). This moved the responsibility and cost of buying software and updates onto individual NHS organisations.

In 2011 the government cancelled the NHS IT system (13). This system was principally for patient records, but its cancellation meant individual Trusts had the responsibility for buying their own IT systems. This gave us different Trusts with different IT systems, many of them not compatible, and also again put the responsibility for maintaining these systems back onto the individual Trusts.

In 2014 the government warned NHS trusts that they needed to move away from Windows XP (14). On 8th April 2014, the Cabinet Office issued a letter to all NHS Trusts telling them to “migrate” away from Windows XP (15), or if they couldn’t then to take out a Premier Services Agreement (PSA) with Microsoft, which each Trust would have to pay for themselves. The government did purchase 12 months of Custom Support, but Trusts would have to have a PSA to access it and Custom Support finished in April 2015. After then Trusts were left alone to make their own arrangements, and there was no extra money to help Trusts buy upgrades or even whole new computer operating systems for all their computers, which is never cheap.

NHS IT has never been the best, it has always lagged behind other industries. Since 2010, though, NHS funding has been cut, in real terms. Since 2010, NHS funding has only risen by 0.9% each year (16), less than inflation, and far less than the rising demand on the NHS and rising healthcare costs. Faced with increasing demand and increasing costs NHS managers had no choice but to reduce spending on capital projects, such as updating computers.

Jeremy Hunt was nowhere to be found over the weekend of the cyber attack (But they say Hunt never works weekends). It was left to Amber Rudd, the Home Secretary, to give the Government’s response to this latest NHS crisis, on the Sunday, instead of the Minister of Health. Hunt was door-stepped by the BBC on Monday morning but refused to answer any questions (17). He later gave an interview to the BBC (18) were he too wagged the finger of blame, claiming “lessons will be learned.” Under repeated questioning, Hunt denied that the cyber attack was due to underfunding of the NHS, and at one point tried to say the hackers actually targeted to NHS.

What seems to have coloured the response to this cyber attack is the opportunity to bash the NHS. So much of our media used it as a chance to attack the NHS, claiming it was the fault of managers and that “warnings” were deliberately ignored. The government was quick to point the finger of blame at the NHS, implying that they had done everything they could and the fault for the attack lay with NHS Trusts. Very few people sat back and asked the real questions about why the NHS was so vulnerable, why was the NHS still using such out of date software?

Again the NHS was vulnerable because of it chronic underfunding, it the same course that lead underpinned last winter’s crisis (19), and yet it was ignored again by our media and politicians. It seems that it is far easier to bash the NHS than admit a very uncomfortable truth.

Drew Payne

No comments: