The ransomware attack is all about insufficient funding of the NHS | Charles Arthur

Amber Rudd, the home secretary, can burble all she wants but the Tories have overseen chaos in NHS computing systems

The heart sinks whenever Amber Rudd, the home secretary, talks about anything to do with computers. On Saturday, in the wake of the malware attack that has crippled hospital IT systems, she was on Radio 4’s Today programme: “We are ahead of this [attack] with the National Cyber Security Centre (NCSC), the advice is available,” she pronounced proudly, as though putting “national” and “cyber” on something automatically granted it authority.

“Patients have been inconvenienced,” she conceded, “but no patient data has been accessed and the NHS is brilliantly managing through this.”

The lack of access to patient data doesn’t apply just to the hackers, of course; NHS staff couldn’t get at it, either, because many NHS hospitals and GP practices had been hit by ransomware – a specific species of malware that encrypts all the files on your machine using a military-grade cipher, and demands payment in the practically untraceable currency bitcoin to a website on the hidden Tor network. As a business, ransomware works: the number of attacks worldwide has been going up exponentially in the past few years, so that at one point recently a substantial proportion of Tor sites were just payment sites automatically generated by ransomware.

Ransomware is an idea first developed more than 20 years ago, and reverses the usual form of hacking – where the threat comes from others having access to data; ransomware’s threat is that nobody can access your data, including you. It’s now commonplace; you can buy kits online to spread it virally.

The British hospitals hit by this latest attack, which weaponised a flaw in Microsoft’s Windows operating system revealed in February, are hopelessly outgunned. They’re running Windows XP, an operating system first released in September 2001, and which Microsoft itself gave up supporting in 2014; it has been kept on life support by extra payments to the company, but the Department of Health stopped making those in 2015.

Worldwide ransomware attack hits NHS hospitals

More generally, a survey by Sky News’s Tom Cheshire of NHS trusts’ spending on securing data found that seven of them, serving more than two million people, spent nothing, and the average spend across 92 trusts that replied was just £22,000 annually. (Another 43 trusts couldn’t specify their costs.) That’s paltry in the face of concerted hacking efforts.

All that made the events of the past few days a disaster waiting to happen. For all the Tories’ droning on about not wanting a coalition of chaos, they’ve overseen exactly that in the health service, where computing departments are fragmented nationally due to the franchised nature of health trusts and underinvestment is rife.

The problem is that hardly anyone will acknowledge that – even inside the NHS. A couple of weeks ago I was wandering the halls of the Olympia conference centre in London, at the E-Health conference, looking for a hospital that would admit to having been hit by ransomware. (I’m writing a book about hacking incidents, and ransomware is one of the topics.) I came across Gary, who works for Nouveau, a computer security company. Though the conference was busy, Gary’s stand was quiet. Attendees – almost all from the NHS – were gathering around uplifting talks about “customer focus” and “rapid response” and “patient-centred working”, and oohing at stands offering to “use the cloud to unlock the power of your data”.

I explained my mission to Gary, who expressed frustration: the scale both of risk and complacency around computer security in the NHS was so clear to him, but the people in charge of the departments, and the executives above them, wouldn’t listen. “It’s going to happen more and more,” he said.

This latest attack is high profile but only because it has hit so many trusts at once. In fact, ransomware has been hitting hospitals regularly for some time now. An FoI enquiry by RES published in February found that 88 of the UK’s 260 NHS trusts had been hit by ransomware between mid-2015 and the end of 2016. Imperial College Healthcare suffered 19 attacks in 12 months. When Papworth hospital was hit in autumn 2016, its four IT staff worked from 1am to 9pm on a Sunday to restore the systems from backups; it had no budget to pay the ransom (and wouldn’t want to). “If we’d been doing a heart operation on a Sunday, it would have been a huge problem,” Jane Berezynskyj, Papworth’s IT director, later said.

Public services aren’t disproportionately targeted by hackers; if anything, they tend to offer less interesting pickings to profit-seeking hackers than smaller commercial outfits. But they constitute low-hanging fruit for ransomware in particular.

Rudd can burble as much as she wants, but the £1bn put into the NCSC is a fraction of the amount needed to upgrade the NHS’s IT systems. The next government should acknowledge that fact. Hacking is a constant, evolving threat; organisations that don’t upgrade their protection are picked off – either through intentional targeting or because their defences are lower. This weekend could have been worse. Unless someone grasps the nettle of essential spending to upgrade the NHS’s computer systems, it will be. We just don’t know when.

Charles Arthur is writing a book on hacking incidents to be published in 2018.

  • This article was corrected on 13 May. The Sky News report was carried out by Tom Cheshire, not Nick Stylianou.


Charles Arthur

The GuardianTramp

Related Content

Article image
Cybersecurity stocks boom after ransomware attack
Companies see share prices rise sharply amid expected increase in spending on IT security after WannaCry hack

Nick Fletcher and Haroon Siddique

16, May, 2017 @3:35 PM

Article image
Jeremy Hunt 'ignored warning signs' before cyber-attack hit NHS
Shadow health secretary says concerns were repeatedly flagged about outdated computer systems that are vulnerable to attack

Staff and agencies

13, May, 2017 @3:56 PM

Article image
Criminals behind cyber-attack have raised just $20,000, experts say
Firm investigating illicit activity identifies three associated bitcoin addresses but can’t trace individuals before funds are withdrawn

Nadia Khomami

13, May, 2017 @1:35 PM

Article image
NHS cyber-attack causing disruption one week after breach
Hospitals slowly returning to normal after ransomware attack led to cancelled operations and diverted ambulances

Jamie Grierson and Samuel Gibbs

19, May, 2017 @3:12 PM

Article image
Russian ransomware attacks increased during 2021, joint review finds
Britain, the US and Australia point to growth in ‘sophisticated, high-impact ransomware incidents’

Dan Sabbagh Defence and security editor

09, Feb, 2022 @2:07 PM

Article image
Operations cancelled as Hunt accused of ignoring cyber-attack warnings
Regulator said last summer that threat of attacks had put patient data at risk and jeopardised clinicians’ access to records

Denis Campbell and Haroon Siddique

15, May, 2017 @12:58 PM

Article image
What is WannaCry ransomware and why is it attacking global computers?
Malicious software has attacked computers across the NHS and companies in Spain, Russia, the Ukraine and Taiwan. What is it and how is it holding data to ransom?

Alex Hern and Samuel Gibbs

12, May, 2017 @4:16 PM

Article image
New 'nasty' ransomware encourages victims to attack other computers
Popcorn Time malware offers users free removal if they get two other people to install link and pay

Alex Hern

12, Dec, 2016 @11:55 AM

Article image
Cyber-attack sparks bitter political row over NHS spending
Labour and Lib Dems claim Conservatives’ austerity squeeze has left service with outdated and unprotected IT systems

Jamie Doward and Mark Townsend

14, May, 2017 @7:00 AM

Article image
Ransomware attack hero condemns 'super-invasive' tabloids
Marcus Hutchins says he will have to move house after newspaper identified him and published his full address

Nadia Khomami

22, May, 2017 @8:44 AM