This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.theguardian.com/technology/2017/may/15/warning-of-nhs-cyber-attack-was-not-acted-on-cybersecurity

The article has changed 6 times. There is an RSS feed of changes available.

Version 2 Version 3
Warning of NHS cyber-attack risk was not acted on, says cybersecurity adviser Operations cancelled as Jeremy Hunt is accused of ignoring warnings
(about 3 hours later)
The government has been accused of failing to heed a warning last summer that the NHS could be at risk from cyber-attacks by one of the advisers who highlighted the potential for major problems. Operations and hospital clinic appointments due to take place on Tuesday have been cancelled amid claims that ministers ignored warnings last year that the NHS could be at risk from cyber-attacks like the ongoing ransomware causing havoc in 150 countries.
In July, the NHS regulator, the Care Quality Commission, and the national data guardian, Dame Fiona Caldicott, warned that the threat of such attacks “has not only put patient information at risk of loss or compromise but also jeopardises access to critical patient record systems by clinicians”. Jeremy Hunt, the health secretary, said an anticipated second wave of malware attacks in Britain, that experts had feared might strike on Monday, did not materialise.
The WannaCry attack on Friday has affected 47 NHS organisations, some of which were still experiencing problems on Monday, although the health secretary, Jeremy Hunt, said a feared second wave of attacks on the health system had not occurred. But he had to defend the government’s record on NHS cybersecurity after it emerged that the health service regulator, the Care Quality Commission, and the national data guardian, Dame Fiona Caldicott, warned last July that the threat of such attacks “has not only put patient information at risk of loss or compromise but also jeopardises access to critical patient record systems by clinicians”.
Dr David Wrigley, a GP from Lancashire, who is deputy chair of the British Medical Association, was on a panel that drew up the guidelines on cybersecurity, which were provisionally accepted by the Department of Health last year. The unprecedented cyber-attack froze computers across the NHS on Friday, threatening to delete key files unless a ransom was paid, and also hit big organisations such as Telefonica, Deutsche Bahn and FedEx, rapidly spreading around the globe.
He said there had been a failure to act on the advice. “It’s been known about for years, that the software isn’t up to date across the NHS, so it’s not unpredictable that this situation should have arisen,” he said. “But it’s disappointing that funding hasn’t been given to upgrade the system. It needs urgent action by politicians.” However by Monday it had slowed its course thanks to users downloading updates to protect their computers, an “accidental hero” registering a website that acted as a kill switch to stop the spread, and intense remedial action by IT security experts.
He said staff in his area had been working day and night at the weekend to limit the impact but national action was required. On Monday, Vladimir Putin denied that his country was behind the global attack and blamed the US for it.
“Issues around software obviously haven’t been addressed,” he said. “I don’t think it’s acceptable for politicians to say, ‘It’s all down to local NHS and management’. They have got a duty to ensure everything is up to date.” The Russian leader cited the fact that the ransomware relied on information that came from a leak of US National Security Agency (NSA) hacking tools, a point also made by Microsoft’s president.
The report said the threat “is most often introduced from denial of service attacks (attempts to make a machine or network resource unavailable to its intended users) and ransomware such as ‘cryptolocker’, but can also arise during the transition between different IT systems”. It also referred to “known weaknesses and vulnerabilities” of Windows XP the operating system used by trusts believed to have been worst affected by Friday’s attack. “Microsoft’s leadership stated this directly, they said the source of the virus was the special services of the United States,” Putin said at a summit in Beijing.
The government revealed on Monday that thousands of NHS computers (just under 5%) were still using the old Windows XP operating system, although a No 10 spokesman said other Windows systems were also affected. In a statement, the office of Britain’s National Data Guardian said: “The need for steps to be taken to protect the health and care system against cyber-attack remains a priority for the national data guardian.
In a statement, the office of the national data guardian said: “The need for steps to be taken to protect the health and care system against cyber-attack remains a priority for the national data guardian. “Dame Fiona highlighted the importance of this in the review that she published last year, and is committed to working with others across the system to ensure that effective measures are in place, and that lessons are learned from this incident.”
Caldicott highlighted the importance of this in the review that she published last year, and is committed to working with others across the system to ensure that effective measures are in place, and that lessons are learned from this incident.” Hunt was also criticised by NHS leaders angry that trusts had been accused of bringing problems on themselves by making themselves vulnerable to cyber-attacks by not taking preventative measures seriously enough.
Seven NHS trusts were still experiencing problems on Monday, including St Bartholomew’s hospital in London, York Teaching Hospitals NHS Trust and the University Hospital of North Midlands Trust Chris Hopson, chief executive of NHS Providers, which represents most trusts, said: “The quick rush by some to lay the blame on ‘incompetent NHS managers’ is disappointing.
York trust was “almost engulfed” by the attack, leaving some outpatient appointments cancelled on Monday, especially at Selby War Memorial hospital.
Blackpool Teaching Hospitals NHS Foundation Trust, NHS Blackpool Clinical Commissioning Group (CCG) and NHS Fylde and Wyre CCG said services were open and operating “as best as possible” but asked patients only to attend A&E in life-threatening and urgent cases.
Asked during a visit to Oxfordshire on Monday morning if the government had ignored warnings about the vulnerability of the NHS to cyber-attacks, Theresa May said: “No. It was clear warnings were given to hospital trusts but this is not something that focused on attacking the NHS here in the UK.”
She added: “Europol say there are 200,000 victims across the world. Cybersecurity is an issue that we need to address. That’s why the government, when we came into government in 2010, put money into cybersecurity.
“It’s why we are putting £2bn into cybersecurity over the coming years and, of course, created the National Cyber Security Centre. We take cybersecurity seriously.”
May’s spokesman said: “There’s been much focus on the idea that NHS systems were running this XP Windows system. Firstly, other Windows systems were affected.
“This was not in any way limited to XP and more broadly on that, the percentage of NHS [England] systems that were running XP fell from 15-18% in December 2015 to 4.7% now.”
Hunt said it was “encouraging” that no further attacks on the NHS had been identified.
The chief executive of NHS Providers, Chris Hopson, said it was important not to engage in “NHS bashing”.
“The quick rush by some to lay the blame on ‘incompetent NHS managers’ is disappointing,” he said.
“It feels like the usual NHS bashing and is unsupported by evidence. This unfortunate blame game may in part be down to the fact that we are in the middle of a general election campaign.”“It feels like the usual NHS bashing and is unsupported by evidence. This unfortunate blame game may in part be down to the fact that we are in the middle of a general election campaign.”
Both NHS Providers and Managers in Partnership (MiP), a trade union which represents 6,200 senior NHS managers, claimed government underfunding had caused problems by preventing health service bodies spending enough money on protecting their IT systems.
Hunt’s raids on the NHS capital budget in recent years had backfired, they said.
“We have been warning about the risks associated with switching funding from infrastructure priorities such as IT to deal with day-to-day running costs,” said Saffron Cordery, NHS Providers’ director of policy and strategy.
“Our members tell us they are deeply concerned that we are storing up problems for the future. When funding is squeezed in this way, there is sure to be a reckoning.”
Jon Restell, chief executive of MiP, said: “Managers are constantly balancing investment decisions, but chronic underfunding of the NHS has led to trusts being forced to give less priority to back-office systems and capital projects and understandably give priority to clinical running costs.
“However, this approach is not sustainable because the clinical frontline relies on an effective back office, as we discovered on Friday.”
However, he added: “In hindsight, some trusts may have been unwise to not prioritise investment in IT. The recent attacks will mean reappraisal of investment priorities.”
Hunt dismissed suggestions that the NHS’s tight budget had played a part in so many NHS bodies falling victim to the attack.
“Although we did use some of the capital budget for revenue spending, the IT budget has been protected – in fact the IT budget at the spending review in 2015 was increased substantially,” he said.
“We put £50m in to a new NHS cybersecurity centre, so this has been an area where despite all the financial pressures on the NHS, we have been increasing spend and that is why we were able to get more than 95% of services up and running normally for patients within 24 hours of this massive international attack.”
Forty of the 47 NHS organisations hit by the WannaCry attack had returned to normal service by Monday after a weekend of disruption. However, seven hospital trusts in England were still experiencing problems, which forced them to scale back the range of services they usually provide.
The Southport and Ormskirk trust cancelled all outpatient and endoscopy appointments and also CT and MRI scans scheduled to take place on Monday and Tuesday.
It also cut the number of operations it was due to carry out, but did continue to offer kidney dialysis, blood clinics and other services.
Barts Health in London, the NHS’s biggest trust, was another of those still affected on Monday. The trust said its hospitals were open again for emergency care but: “We have reduced the volume of planned services on Monday and Tuesday to ensure we can continue to run services safely.”
The East and North Hertfordshire trust cancelled non-urgent blood tests at its Lister, New QEII and Hertford County hospitals, and also suspended its diabetic screening service.
The impact of the ransomware attack, which has hit many hundreds of thousands of computers worldwide, lessened in Europe on Monday.
In China, “hundreds of thousands” of computers were affected, including petrol stations, cash machines and universities, according to Qihoo 360, one of China’s largest providers of antivirus software.
French carmaker Renault shut its Douai plant, one of its biggest sites in France employing 5,500 people, on Monday in order to upgrade its IT systems.