Health Secretary Jeremy Hunt was warned in July last year of the urgent need to update the NHS’ cybersecurity in order to avoid the sort of crippling cyberattack seen in British hospitals last week.
Hospitals in England and Scotland were forced to turn away patients and cancel operations on Friday after the NHS was hit by a large-scale “ransomware” attack.
The attack was made possible because of the widespread use of the Windows XP operating system. A deal with Microsoft to update security patches for the system was allowed to expire in 2015, yet hospitals continued to use the software.
In a joint letter to the Health Secretary, the Care Quality Commission’s Chief Executive David Behan and the National Data Guardian, Dame Fiona Caldicott, warned of the urgent need to update unprotected computer systems.
The commission had been tasked by Hunt with identifying threats to patient data. In the letter they warned that “computer hardware and software that can no longer be supported should be replaced as a matter of urgency” and insisted that “more can be done to protect against potential risks”. Crucially they called on Hunt to ensure that “no unsupported operating systems, software or internet browsers are used within the IT estate.”
Despite the warnings, the unsupported Windows XP system continued to be in widespread use across the NHS.
Freedom of Information requests last summer revealed that trusts across the country were still using Windows XP, one year after a government contract with Microsoft to update protections for the system had expired.
The Government Digital Service, established by David Cameron, failed to extend a £5.5 million one-year support deal with Microsoft, or to secure a replacement package.
The government was aware of the problem as early as 2014, with the Cabinet Office writing to NHS trusts to insist that they should “clearly understand the risk” of being left unprotected.
In a statement on Sunday, Microsoft warned that the ransomware attack must be a “wake up call” to governments to update their systems.
“The governments of the world should treat this attack as a wake-up call,” Microsoft president and chief legal officer Brad Smith said.
He added that the company had released a Windows security update in March which would have prevented the sort of attack seen on the NHS, but that many users failed to obtain it.
“As cyber-criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” Smith said.
The Liberal Democrats have called for an inquiry into why NHS systems were left unprotected.
“We need to get to the bottom of why the government thought cyber-attacks were not a risk, when a combination of warnings and plain common sense should have told ministers that there is a growing and dangerous threat to our cyber-security,” Lib Dem Shadow Home Secretary Brian Paddick said on Saturday.
In a statement, the Home Secretary, Amber Rudd, denied that under-investment in cybersecurity had caused the problem.
“I simply don’t think that is the case,” she said following a meeting of the government’s emergency COBR committee.
“If you look at who has been impacted by this virus it is a huge variety across different industries and across different international governments. This is a virus that has attacked window platforms, the fact is that the NHS has fallen victim to this. I don’t believe it is to do with our preparedness. There is always more we can all do to make sure we are secure against viruses but I think there has already been good preparations in place by the NHS to make sure they were ready for this sort of attack.”
She also denied that the Health Secretary was in hiding following the attack. Asked by Sky News whether Hunt was “being kept in a cupboard,” she replied that: “There are certainly plenty of representatives from the NHS who have been standing up and saying what has been going on…”