NHS was warned to raise cyber defences
Trusts given £50m to upgrade systems and were sent patch weeks before attack
THE NHS was repeatedly warned to do more to protect itself from cyber attacks, the Defence Secretary has said, as it emerged that trusts were urged to update their software two weeks ago.
Sir Michael Fallon said that the NHS had been given a “large chunk” of money to improve security, and been given a series of warnings about the growing threat.
It came as the head of the National Cyber Security Centre (NCSC) said he had been “shouting from the rooftops” about the need to protect services from hacks.
Over the weekend, NHS trusts have embarked on frantic efforts to protect computer systems, installing security upgrades.
Around 47 NHS organisations were hit, with networks left vulnerable because they were either using outdated Windows XP operating systems, which were no longer supported by Microsoft, or had modern systems but had failed to carry out security updates.
In March, Microsoft released such an alert to protect against the latest threats. It has emerged that health officials sent the patch out to NHS IT staff on April 27.
In 2015, the Government ended a £5.5 million contract with Microsoft to provide customised support for Windows XP, having done so for a year after the company stopped issuing updates.
However, trusts continued to use the unsupported system, with around 5 per cent still doing so.
Yesterday the Defence Secretary said the Government had set aside £1.9 billion for cyber protection, and had repeatedly warned the NHS to do more to protect itself.
“We’re spending around £50 million on the NHS cyber systems to improve their security,” Sir Michael said. “We have encouraged NHS trusts to reduce their exposure to the weakest system, the Windows XP.”
“We want them to use modern systems that are better protected,” he added. “We warned them, and they were warned again in the
‘We want them to use modern systems. They were warned again in the spring’
spring.” Ciaran Martin, head of the NCSC, urged organisations to take urgent action to protect the UK’S defence. “Ransomware is a basic form of attack, national defence depends on the actions of hundreds and thousands of organisations,” he said.
“We are shouting from the rooftops about some of the basic mitigations and protections that people can put in place to contain the damage and to stop it happening in the future.”
Companies needed to ensure “very basic” security
rules were followed, including running up-to-date security software, using anti-virus software and backing up data, he said.
Mr Martin added that official advice was not to pay the ransom demanded by the hackers. “Whoever these people are, they are criminals and not to be trusted,” he said.
Yesterday it emerged that none of the 66 cyber attacks on English hospitals last year were reported to police.
One London NHS trust – Imperial College Healthcare – was hit 19 times in 2016.
Recent board reports from NHS trusts warn that failures to maintain and invest in IT could have “catastrophic implications”.
Marcus Hutchins, the security researcher hailed as an “accidental hero” after registering a domain name to track the virus, which halted it, warned yesterday that a further attack was likely. He said on Twitter that hackers could upgrade their virus to remove his “kill switch”, rendering vulnerable any systems which are not patched.
“It’s very important that people patch their systems now,” he said. “We have stopped this one, but there will be another one coming and it will not be stoppable by us.
“There’s a lot of money in this. There’s no reason for them to stop. It’s not really much effort for them to change the code and then start over.”