Wanna Decryptor and the National Health Service’s Fatal Vulnerability: Lessons Learned? | Mark Hagland | Healthcare Blogs Skip to content Skip to navigation

Wanna Decryptor and the National Health Service’s Fatal Vulnerability: Lessons Learned?

May 14, 2017
| Reprints
Astonishingly, Britain’s NHS was still operating on the undefended Windows XP platform

In working with members of our team here at Healthcare Informatics to develop news stories around the horrific news of the Wanna Decryptor 2.0 ransomware virus outbreak this past week, I combed a variety of mainstream news and trade publications, both from the United States and from across the international media, especially from the United Kingdom and Europe, including The Independent of London, Libération of Paris, El País of Madrid, and Frankfurter Allgemeine Zeitung of Frankfurt.

And, in doing that research, on Saturday morning, one quote stood out to me in a very dramatic fashion. It was a segment of the report in The Independent by Aatif Sulleyman. He wrote this, speaking of the U.K.’s National Health Service, which was one of the hardest-hit of all organizations worldwide, by this ransomware virus, with at least 48 of the NHS’s trusts, or regional health authorities, severely impacted by it: “Up to 90 per cent of NHS computers still run Windows XP, according to a report published in the BMJ earlier this week. The operating system was released in 2001, and Microsoft cut support for it in 2014. ‘People can continue to use the software, but doing so comes with enormous risks,’ the report went on, quoting David Emm, the principal security researcher at Kaspersky, as saying that ‘Using XP is particularly bad because it’s no longer supported and there’s no way to patch it.’”

That revelation stunned me. Windows XP?? Really???? Many have noted that the NHS has been underfunded in terms of capital for years, and this inaction around IT architecture must certainly be connected to that. But still—this was a stunning revelation, particularly in light of the fact that the Wanna Decryptor attack blast has had a severe impact on at least 48 of the trusts (regional hospital authorities) within the NHS, leading to thousands of patients being turned away from care.

Then, Sunday morning, I found an article in The Times of London, by Jon Ungoed -Thomas and Dipesh Gadher, that included this: “The organisation involved in protecting NHS computer systems is operating without a permanent leader amid concerns that urgent official warnings to upgrade IT infrastructure have gone unheeded. NHS Digital is led by Rob Shaw, an interim chief executive, who has a pay package worth more than £200,000 and a £1m pension pot, according to accounts. The organisation answers to Jeremy Hunt, the health secretary, who was warned by watchdogs last July that NHS systems needed to be strengthened ‘as a matter of urgency.’”

The report by Ungoed-Thomas and Gadher went on to report that “Dame Fiona Caldicott, the national data guardian, and the Care Quality Commission informed Hunt in an eight-page letter that there was a risk of ‘serious, large-scale data losses’ from a cyber-attack unless action was taken. About a third of NHS trusts have previously suffered ransomware attacks, with one—Imperial College Healthcare, in London—infected 19 times in a year, according to data obtained under freedom of information rules. NHS Digital’s board said in March that it would ‘support the implementation’ of the steps recommended by Caldicott.”

What’s more, in another article published Sunday morning, U.K. time, in The Times, Louis Emmanuel reported that “The British researcher who helped to limit the effects of the global cyber-attack that paralysed parts of the NHS has warned that a second wave of strikes could arrive on Monday. In England, 48 NHS trusts fell victim to the hack, which caused major disruption to routine procedures and emergency services, including the cancelling of operations and postponement of cancer treatments.”

There is actually some good news in all this: Emmanuel noted in his report that “Amber Rudd, the home secretary, said yesterday that all but six of the trusts were back to normal following the attacks that crippled IT systems by locking computers and demanding a ransom.”

Still, given how quickly cybercriminals can alter their patterns to adjust to the attempts on the part of victimized organizations to address damage the cybercriminals have inflected, one must still worry about how NHS officials will cope with what might happen this coming week.

Much more fundamentally, how is it that the NHS was allowed to stay on Windows XP after Microsoft had abandoned it? That really is a huge and hugely important, question. And whatever the capital-needs deficits in the NHS, whichever senior officials in the British government (since the NHS is government-run) decided that it was OK for their clinical and operational information systems to remain on XP, also made the decision—whether they realized it or not—that it was OK to leave millions of patients in the U.K. potentially exposed to breakdowns in care delivery—a reality that has now come to pass.

The reality is that, as shocking as this Wanna Decryptor situation is, it is now becoming the global “new normal,” as the overall threat level to every large organization in the contemporary world continues to rise higher and higher with every new year, month, week, and even day.

And, in thinking about the disaster at the NHS, my mind naturally turns to hospital organizations in the U.S., especially to the independent community hospitals, and most especially the smaller and rural hospitals, that lack the resources and personnel that the large multi-hospital systems have, to address cybersecurity threats.