Repeated warnings over system vulnerability ‘were not heeded’
The NHS failed to heed repeated warnings that its out-of-date computer systems were vulnerable to the sort of cyber attack that brought it to its knees, it was claimed last night.
Jeremy Hunt, the Health Secretary, was accused of ignoring “extensive warning signs” before an unprecedented cyber attack which plunged the NHS into chaos.
Claims the NHS failed to act came as it emerged that managers had failed to apply recent security updates which would have protected their systems.
Nearly five per cent of the NHS’s computers still use the Windows XP system, dating back nearly 20 years, or its more recent Windows 8 and Windows 10 variants vulnerable to new malware viruses developed by hackers.
The Government ended its annual £5.5million deal with Microsoft to provide ongoing security support for Windows XP in May 2015, unless individual trusts – already struggling with budgets – were prepared to pay extra for an extended support deal.
Experts say that, with no support deal in place, trusts were unable to have access to Microsoft’s anti-virus “patches” designed to foil precisely the sort of attack experienced on Friday. Ross Anderson, professor of security engineering at Cambridge University’s computer laboratory, said the incident is the “sort of thing for which the Secretary of State should get roasted in Parliament”. He added: “If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that?”
Labour has seized on the crisis to attack the Government’s handling of the health service. Jonathan Ashworth, the Shadow Health Secretary, said concerns were repeatedly flagged about the NHS’s outdated computer systems, which left it vulnerable to the virus.
In a letter yesterday to Mr Hunt, he wrote: “As Secretary of State, I urge you to publicly outline the immediate steps you’ll be taking to significantly improve cyber security in our NHS.
“The public has a right to know exactly what the Government will do to ensure that such an attack is never repeated again.”
Simon Stevens, the Chief Executive of NHS England since 2014, failed to make a public statement yesterday.
There was renewed speculation last night that Mr Hunt could be moved in a reshuffle after he was criticised for appearing to go missing during the crisis.
Although Mr Hunt attended a meeting of the Cobra committee, Home Secretary Amber Rudd took the lead on TV and radio, leaving commentators and MPs to question whether the Health Secretary had a grip on the crisis.
Ms Rudd said Mr Hunt had told health trusts to upgrade their software and most of them had.
Just a day before Friday’s attack a doctor warned that NHS hospitals needed to be prepared for an incident precisely of the kind seen. Dr Krishna Chinthapalli, a neurology registrar at the National Hospital for Neurology and Neurosurgery in London, wrote that hospitals “will almost certainly be shut down by ransomware this year”.
Before Friday’s attack Microsoft released a fix, or patch, for the issue but computers that did not install the update, or could not due to the age of their software, would remain vulnerable.