Who
could have failed not to notice that the NHS was the victim of a cyber attack,
last weekend? It was been splashed across our media that 40 NHS organisations
and many GP practices were hit by this cyber attack (1).
The
story broke on last Friday (12th May), ransomware hit computers
worldwide, ransomware encrypts (locks down) all the files on a computer and the
hackers demand a ransom payment to unlock it, in this case it £230, but that
payment was demanded for each computer not just for one organisation. The
ransomware used a weakness in the Windows XP operating system at attack these
computers (2), meaning older computers using this old operating system were
more vulnerable.
Very
quickly, over the weekend, our newspapers pointed the finger of blame, and it
wasn’t at the hackers who created this ransomware. The Daily Mail quickly
blamed managers for ignoring “warnings” (3). The Times claimed that failings in
the NHS allowed the hackers to “walk in” (4). The Sun too blamed the NHS for being
the victim of this attack and claimed patients’ record were in danger (5).
Everywhere there were stories about the patient misery this cyber attack
caused.
Amber
Rudd, the Home Secretary, on Sunday, also pointed the finger at the NHS. She
said the NHS “must learn” from this attack, and claimed that Jeremy Hunt
(Health Secretary) had already instructed NHS trusts not to use Windows XP (6).
From
reading all these reports you could be forgiven for thinking that this cyber
attack only affected NHS computers, but that isn’t true. This cyber attack
affected 200,000 victims in 150 different countries (7). Those affected by it
included the Spanish telecommunications giant Telefónica, who owns the O2
network (8), Deutsche Bahn, Germany’s national railway service, French carmaker Renault, a local authority in
Sweden (9), and the Nissan car plant in Sunderland (10). I didn’t notice the
tabloids or our government waging their fingers of blame at any of these
companies or organisations.
But
why was the NHS so vulnerable to this cyber attack?
Support
for Windows XP ended on the 8th April 2014 (11). Basically,
Microsoft no longer issues up dates for it, updates that could protect against
this sort of attack. Now the NHS had an agreement with Microsoft, it would pay
Microsoft a flat fee, each year, and Microsoft would provide the software the
NHS needed and keep it updated (12). In 2010, shortly after the Conservatives
came back into government, in coalition, that agreement was suddenly cancelled
(12). This moved the responsibility and cost of buying software and updates
onto individual NHS organisations.
In
2011 the government cancelled the NHS IT system (13). This system was
principally for patient records, but its cancellation meant individual Trusts
had the responsibility for buying their own IT systems. This gave us different
Trusts with different IT systems, many of them not compatible, and also again
put the responsibility for maintaining these systems back onto the individual Trusts.
In
2014 the government warned NHS trusts that they needed to move away from
Windows XP (14). On 8th April 2014, the Cabinet Office issued a
letter to all NHS Trusts telling them to “migrate” away from Windows XP (15), or if
they couldn’t then to take out a Premier Services Agreement (PSA) with
Microsoft, which each Trust would have to pay for themselves. The government
did purchase 12 months of Custom Support, but Trusts would have to have a PSA
to access it and Custom Support finished in April 2015. After then Trusts were
left alone to make their own arrangements, and there was no extra money to help
Trusts buy upgrades or even whole new computer operating systems for all their
computers, which is never cheap.
NHS
IT has never been the best, it has always lagged behind other industries. Since
2010, though, NHS funding has been cut, in real terms. Since 2010, NHS funding
has only risen by 0.9% each year (16), less than inflation, and far less than the
rising demand on the NHS and rising healthcare costs. Faced with increasing
demand and increasing costs NHS managers had no choice but to reduce spending
on capital projects, such as updating computers.
Jeremy
Hunt was nowhere to be found over the weekend of the cyber attack (But they say
Hunt never works weekends). It was left to Amber Rudd, the Home Secretary, to
give the Government’s response to this latest NHS crisis, on the Sunday,
instead of the Minister of Health. Hunt was door-stepped by the BBC on Monday
morning but refused to answer any questions (17). He later gave an interview to
the BBC (18) were he too wagged the finger of blame, claiming “lessons will be
learned.” Under repeated questioning, Hunt denied that the cyber attack was due
to underfunding of the NHS, and at one point tried to say the hackers actually targeted
to NHS.
What
seems to have coloured the response to this cyber attack is the opportunity to
bash the NHS. So much of our media used it as a chance to attack the NHS,
claiming it was the fault of managers and that “warnings” were deliberately
ignored. The government was quick to point the finger of blame at the NHS,
implying that they had done everything they could and the fault for the attack
lay with NHS Trusts. Very few people sat back and asked the real questions
about why the NHS was so vulnerable, why was the NHS still using such out of
date software?
Again
the NHS was vulnerable because of it chronic underfunding, it the same course
that lead underpinned last winter’s crisis (19), and yet it was ignored again
by our media and politicians. It seems that it is far easier to bash the NHS
than admit a very uncomfortable truth.
Drew
Payne
No comments:
Post a Comment