A Freedom of Information request has revealed that NHS Scotland is struggling to protect itself from cyber attacks after last year’s WannaCry breach highlighted the dangers of using outdated computer systems.
Currently, 11 of Scotland’s 14 NHS Trusts still rely on Windows XP – An operating service that Microsoft ended support for some four years ago and hasn’t had a major security update since 2008. In fact, the only significant recent activity for Windows XP came last year when Microsoft released a one-off patch to prevent the spread of ransomware material.
Across NHS Lothian in particular, it is revealed that 3,000 out of 19,000+ computers still run XP. That’s 15% of all of NHS Lothian devices left vulnerable to cyber attacks.
NHS Scotland’s continued use of such an outdated operating system raises serious questions over patient data security, how the health service has responded to recent attacks and what security precautions will be implemented moving forward.
In 2017, NHS trusts across Scotland and the rest of the UK were subject to the crippling WannaCry cyber attack, acknowledged as one of the largest ransomware attacks in history. WannaCry infected more than 300,000 computers and affected 150+ nations globally, requiring users to pay a ransom to ‘unlock’ stolen files and information.
This incident led to major disruption in patient care, with a number of surgeries in England having to turn patients away and cancel appointments due to the disruption. NHS staff were rumoured to have turned to pen & paper or their personal phones rather than risk using their work computers.
Outdated & Underfunded?
With such widespread disruption caused by a lack of security, can NHS trusts really afford to continue using outdated operating systems or is the perceived danger of this blown out of proportion?
David Stubley, CEO of 7 Elements Security Consultancy, highlighted that when services have encountered previous problems with XP then patches have been made available. The main issue lies in the infrastructure in place to ensure they are not exposed.
“The focus of the issue should be on ‘does NHS Scotland have a robust patch management and assurance programme in place to confirm that they are not exposed’ rather than misplaced panic around XP.”
“We should be asking more detailed questions and looking at what other mitigating controls are in place, such as air-gapped networks and end point controls to minimise the likelihood of malicious code being introduced.”
Professor Bill Buchanan (Edinburgh Napier University) however believes the NHS’ continued use of operating systems such as Windows XP is indicative of the lack of investment available for public sector, stating:
“We are a long way short in the general provision of digital services within our public sector, and the existing of Windows XP machines within the NHS perhaps shows a gross lack of investment in modernising our health care infrastructure.”
The necessary steps appear to be taken in an effort to ensure cyber resilience in Scotland’s public services. The Public Sector Action Plan, developed by the Scottish Government and the National Cyber Resilience Leaders’ Board is an ambitious step toward ensuring Scotland’s public services are up to scratch, and will establish a base minimum requirement for cyber security standards across the sector.
Deputy First Minister, John Swinney, described the move at the time as a “significant step towards establishing that wider culture of cyber resilience in Scotland.”
The Scottish Government is not alone in its efforts to ensure the public sector is secure from attack. This coming May will see the implementation of the EU Directive on Security of Network and Information Systems (NIS Directive), and for NHS Scotland the clock is ticking. Even with the prospect of the UK leaving Europe in March 2019, British institutions will still need to comply.
The NIS Directive applies specifically for operators of essential services, who according to the directive will be required to take ‘appropriate technical and organisational measures to secure their network and information systems’.
A regulatory board will oversee the process of NHS compliance with the directive.