The massive cyberattack that almost disabled the NHS over the weekend has turned into a major political issue.
On Friday, organisations around the world were hit with ransomware, nicknamed WannaCry, which encrypted their information and then demanded payment in exchange for decryption.
In the UK, the NHS was particularly badly hit, with at least 48 organisations affected. Hospitals turned non-urgent cases away, cancelled patient operations, and doctors had to work using pen and paper rather than online systems. This chaos continued over the weekend and into Monday morning.
How was a critical service like the NHS almost knocked out by a cyberattack?
Most of the health service’s computers run Windows XP, out-of-date software which no longer gets security support from Microsoft as of 2014. Anyone still running the software after that runs a major risk of getting hacked. The NHS isn’t alone — around 140 million PCs globally still run Windows XP, according to Business Insider estimates.
The NHS did have one safeguard — the UK government was still paying Microsoft for extended security support after the cut-off date. That means it still had vital security updates and patches to avoid being hacked.
Until 2015, that is, when the government decided to stop paying for that support.
Some people feel the government is to blame for that decision, because that resulted in the NHS’ systems being more vulnerable.
Take this article from the Daily Mail, whose headline reads: “Government officials scrapped IT support for NHS computers TWO YEARS ago despite warnings it would leave them vulnerable to attack.”
The government thought paying for support was making people lazy about upgrading from Windows XP
James Stewart is the former deputy chief technology officer at the Government Digital Service, which sits within the Cabinet Office, and works with different government departments to help improve public services through tech.
Stewart didn’t participate in the decision to end Windows XP support, but did work closely with the co-ordinating team.
He said that the decision wasn’t made “unilaterally” by one department, but rather members of different government departments who were responsible for technology. This was called the Technology Leaders Network, and it was this group which made the decision in 2015 to stop paying Microsoft for support.
Stewart told Business Insider the group felt continuing to pay for Windows XP support would have been “pulling a rug over the problem.”
“There was this sense that we could continue paying money to Microsoft year after year for this extended support,” he said. “And what was happening was the responsibility for upgrading systems wasn’t put in the same place is managing the risk for those systems.”
In other words, the group felt that paying to patch XP gave different departments an excuse not to think about upgrading from old software.
“Even extended support doesn’t necessarily provide you protection,” Stewart added. “We could have bought [security] patches, but that doesn’t mean we would have installed them.”
The government was paying £5.5 million for extended support, according to Computer Weekly.
It’s important to mention too that individual organisations — like NHS trusts — could have kept paying for XP support if they had wanted to. What the group decided to end was the discount it was getting for having lots of XP extended support licenses.
That decision was filtered through various departments, including through the NHS. Oddly, the NHS wasn’t represented in that Technology Leaders Network meeting, and the Department of Health was. But as Stewart put it: “The Department of Health’s relationship with the NHS was not simple.”
There is no one body that is responsible for technical standards across the NHS, according to Stewart, which is why it’s hard to pin the blame on one individual or organisation.
“There are so many different organisations that make up the NHS, and the division of responsibility between them is extremely complex, and the way their funding is allocated is extremely complex,” he said. “That means there aren’t many levers in place to effect change across the whole system.”
One source, who preferred to stay anonymous, suggested the blame lies with NHS trust executives who make spending decisions, but are not tech savvy.
“The decision [to end Windows XP extended support] came a long time after Microsoft had started saying it was going to be closing support for the software,” the person said. “Organisations … had a long time to deal with it. And perpetuating that situation wasn’t going to help anybody longer term.
“[Why] is it acceptable for members of boards of organisations to say they don’t understand these topics? You couldn’t say the same thing about finance.”