- The Care Quality Commission wrote to the Health Secretary about the urgent need to update NHS software to prevent cyberattacks.
- A contract with Microsoft to update Windows XP security patches had been allowed to expire in 2015.
- FOI requests revealed defunct systems were still in use across the NHS.
- Hospitals were crippled on Friday following widespread “ransomware” attacks.
- Liberal Democrats are calling for an inquiry into the failure.
LONDON — Health Secretary Jeremy Hunt was warned in July last year of the urgent need to update the NHS’ cybersecurity in order to avoid the sort of crippling cyberattack seen in British hospitals last week.
Hospitals in England and Scotland were forced to turn away patients and cancel operations on Friday after the NHS was hit by a large-scale “ransomware” attack.
The attack was made possible because of the widespread use of the Windows XP operating system in hospitals across the country. A deal with Microsoft to update security patches for the system was allowed to expire in 2015, yet hospitals continued to use the software.
In a joint letter to the Health Secretary, the Care Quality Commission’s Chief Executive David Behan and the National Data Guardian, Dame Fiona Caldicott, warned of the urgent need to update unprotected computer systems.
In the letter they warn that “computer hardware and software that can no longer be supported should be replaced as a matter of urgency” and call on Hunt to ensure that “no unsupported operating systems, software or internet browsers are used within the IT estate.”
Despite the warnings, unsupported Windows XP system continued to be in widespread use across the NHS in England.
Freedom of Information requests last summer revealed that trusts across the country were still using Windows XP, one year after a government contract with Microsoft to update protections for the system had expired.
The Government Digital Service, established by David Cameron , failed to extend a £5.5 million one-year support deal with Microsoft, or to secure a replacement package.
The government was aware of the problem as early as 2014, with the Cabinet Office writing to NHS trusts to insist that they should “clearly understand the risk” of being left unprotected.
In a statement on Sunday, Microsoft warned that the ransomware attack must be a “wake up call” to governments to update their systems.
“The governments of the world should treat this attack as a wake-up call,” Microsoft president and chief legal officer Brad Smith said.
He added that the company had released a Windows security update in March which would have prevented the NHS attack, but that many users failed to obtain it.
“As cyber-criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” Smith said.
The Liberal Democrats have called for an inquiry into why NHS systems were left unprotected.
“We need to get to the bottom of why the government thought cyber-attacks were not a risk, when a combination of warnings and plain common sense should have told ministers that there is a growing and dangerous threat to our cyber-security,” Lib Dem Shadow Home Secretary Brian Paddick said on Saturday.
In a statement, the Home Secretary, Amber Rudd, denied that under-investment in cybersecurity had caused the problem.
“I simply don’t think that is the case,” she said following a meeting of the government’s emergency COBR committee.
“If you look at who has been impacted by this virus it is a huge variety across different industries and across different international governments. This is a virus that has attacked window platforms, the fact is that the NHS has fallen victim to this. I don’t believe it is to do with our preparedness. There is always more we can all do to make sure we are secure against viruses but I think there has already been good preparations in place by the NHS to make sure they were ready for this sort of attack.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.