Skip to main content

NHS Cyber Attack - There Are No Excuses

NHS Trusts still using Windows XP have been victims of a ransomware attack which has closed clinics and impacted patients - and it was entirely avoidable.

Microsoft flagged its Windows XP lifecycle dates early. Mainstream support ended in 2009, with extended support finishing in April 2014. These dates were known well in advance and yet 7% of computers remain on the 'dead' OS today. Far too many of them, apparently, within the NHS.

When the 2014 end of support date rolled around the UK Government entered a one year agreement to provide extended support for NHS Trusts who hadn't migrated to Windows 7 (despite seven years notice of the need to do so). This was an emergency measure to allow them to complete the transformation of their fleet.

It appears too many Trusts decided that lifecycle management of their IT estate wasn't worth the expenditure and did nothing. A decision which is now coming back to haunt them.

It appears there are also other PCs affected at Trusts which haven't been deploying Windows Security updates for later operating systems - Microsoft patched this exposure in March - another example of extremely poor management of IT estates.

Those responsible for IT in the Trusts affected need to answer for their actions. In many cases the decisions made will have been against the advice of those employed in the management of IT. At the very least each Trust should be able to show how it assessed the risks of retaining out of date Windows versions, who was responsible for accepting the risk and whether that was an appropriate decision.

This dramatic, headline grabbing and, above all, confidence shaking event should not be allowed to pass without those responsible being appropriately disciplined.

For now though, the focus needs to be on clean up. Individual machines will need to be wiped and restored - but hopefully not back onto XP. For most Trusts that will be sufficient to resolve this issue - barring the loss of any files stored locally on affected PCs.

For others though this may go further, with Windows Server 2003 vulnerable to the same problem - and support for that product having ended two years ago. If roaming profiles, network storage and application data is stored on WS2003 boxes there's a far bigger clean up operation in prospect.

Bad publicity is the last thing the NHS needs now, with an election upcoming and the imminent fight for its very existence looming large. Hard to think how this could come at a worse time.