You think the NHS cyber-attack was a shock? Wait for this…

May 13, 2017

by Martin Odoni

The cyber-attack that hit National Health Service hospitals yesterday has, inevitably, been twisted by Amber Rudd into a tool with which to add extra pressure onto the Service. Her exhortations to the NHS to ‘learn’ from the attack have more than an echo of cliché about them, to say nothing of diverting from the ongoing funding squeeze in healthcare. With hospitals up and down the land reducing staff and budgets, how exactly they can afford, or find the time, to keep software secure, is a bit of a mystery.

It was all very well Jeremy Hunt, the Health Secretary who makes everybody sick, telling hospitals not to use the 16-year-old Operating System Windows XP on their computers, but he did not really give them the means of getting hold of any of its successors. Licenses for using Microsoft systems on multi-server networks can get very expensive, and they also need substantial IT staff both to get them installed, and to keep them maintained. That costs money, whether Tory dogma likes it or not. (Ending a support deal with Microsoft a couple of years back did nothing to help either.)

So all the details from yesterday are alarming enough, and while I have no doubt indicators will be found that the NHS might have handled it better, squirming and blame-shifting by the Government should not be tolerated.

However, I have reason to worry that yesterday was a symptom of a more ingrained disease. You see, the scariest aspect of NHS cyber-security is not that Windows XP is still being used so widely around the country. No. What is scariest is that I have learned that it is not the oldest OS by any means.

Out of discretion and to protect their job, I cannot reveal who has informed me of this, or where specifically the individual works. I know that might sound like the cover story of an irresponsible rumour-monger, but I will have to ask readers to take this on trust. However, the informant is a specialist working at a hospital in the north-west of England. They state that this hospital still has computers running on – wait for it…

Windows 95.

No, you did not read that incorrectly; there is at least one hospital in the country whose computers are still using an Operating System that was released twenty-two years ago, and for which Microsoft ceased all support at the end of 2001.

Yes, before anybody asks, the computers in question are fully connected to the Internet.

This suggests that the problem of obsolete cyber-security in the NHS may be more deeply-rooted than merely the current mean-fistedness of Austerity Government. Austerity certainly is not helping, in that it delays any attempts to get up-to-date. But the computers in question may have been in use since around the time Tony Blair became Prime Minister way back in 1997. This suggests that the last Labour Government may have also mishandled – perhaps not taken seriously – the important matter of software security.

I can say no more about this at present without compromising the identity of the informant, but to the best of my understanding, what I have been told is almost certainly true.