.comment-link {margin-left:.6em;}

Sunday, May 14, 2017

Was the cyber attack on the NHS avoidable?

The backlash of the cyber attack that all but incapacitated the NHS in England has started and already questions are being asked as to whether basic precautions were being taken to protect ICT systems from such an offensive.

The Observer reports that the attack has become a hotly contested election issue with both Labour and the Liberal Democrats blaming the crisis on the government’s failure to upgrade hospital computers. And if this Private Eye piece from 18 April 2014 is correct then they have a point:

The Liberal Democrats have demanded an inquiry into why the Conservatives had cut cybersecurity support a year ago when it axed the £5.5m deal with Microsoft:

“We need to get to the bottom of why the government thought cyber-attacks were not a risk, when a combination of warnings and plain common sense should have told ministers that there is a growing and dangerous threat to our cybersecurity,” said Lib Dem home affairs spokesman Brian Paddick.

“It is worrying that in Amber Rudd we have a home secretary in the digital age more suited to the era of analogue,” he said.

“This is not the first time she has looked lost in cyberspace. The government likes to look tough, but this is an example of where it has left Britain defenceless.”

It is all very well the Prime Minister saying that this was a global attack but that does not excuse the level of unpreparedness. But the scale of the problem was revealed in comments later in the article:

The former NHS Digital chairman Kingsley Manning said a cyber-attack “was always going to happen”. Money earmarked for IT upgrades was sometimes diverted by NHS trusts because “it is very difficult to get individual trusts, even if you provide the money centrally, to actually use that money for this purpose”.

Jan Filochowski, who ran six trusts including Great Ormond Street children’s hospital in London, said: “Most of the NHS IT system is out of date. It’s been behind the curve in terms of investment in IT for years.

“But there’s a real problem in replacing it because the costs are enormous and it would involve major capital expenditure from the Treasury and that has been deeply constrained [in recent years] during the resource squeeze in the NHS.

As true as all these claims are, it does not excuse the complacency that allowed this cyber attack to succeed. In truth the NHS has been badly served by politicians and civil servants who do not understand ICT, and who consider computers to be some sort of holy grail that will solve all their problems, when in fact they are tools best used as part of a change management process.

If only the £12 billion wasted by the former Labour Government on its own failed Health Service ICT project had been used instead to upgrade and reinforce the computer systems on which the NHS relies day-in-day-out then we might not be where we are today.
Some caution is needed when assigning blame for the extent of this malware attack.

Let's get Windows XP out of the way as a primary cause. I understand that less than 10% of NHS PCs run XP (probably less usage for Server 2003) and the malware has affected PCs and servers running Windows versions fully supported by Microsoft. The outbreak would have happened without the presence of XP systems, so we have to look at what went wrong on the supported Windows versions.

It is believed that some PCs were infected by opening infected email attachments (assumed to be preventable by OS and application security updates) which spread to others via a vulnerability in the SMBv1 network protocol (for which a patch has been available for several weeks). The question is why the relevant patches have not been applied to supported Windows versions.

As you note, this is about change management and I am sure that the problems will be different in different locations. Testing upgrades for backward compatibility and running a timely change review process are day to day things that IT teams should be able to pursue without worry. In NHS terms, they don't cost very much -- serious money has to be spent when desktop PCs are connecting to legacy servers and applications which are incompatible with contemporary security requirements.

Microsoft deserve a little blame too. The recent switch from individual patches to patch bundles will have slowed patch deployment, occasionally preventing it.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?