NEWS
13/05/2017 10:18 BST

Government Urged To Clarify Whether NHS Bodies Could Have Stopped Cyber Attack

The Government and NHS bosses are facing growing questions over why hospitals across the country were crippled by a global cyber attack amid suggestions preventative measures could have been taken "months ago".

The health service faces a weekend of chaos after the unprecedented attack forced hospitals to cancel and delay treatment for patients.

It is feared computers in A&E wards, GP's surgeries and other vital services across the NHS were infected with a virus based on hacking tools developed by US cyber warfare agents.

At least 30 health service organisations in England and Scotland were infiltrated by the malicious software, while many others shut down servers as a precautionary measure, bringing added disruption.

Doctors reported seeing computers go down "one by one" as the "ransomware" took hold on Friday, locking machines and demanding money to release the data.

The National Cyber Security Centre (NCSC) said teams were "working round the clock" in response to the attack as it was reported up to 99 countries, including the US and Russia, were hit.

Prime Minister Theresa May said the Government is not aware of any evidence patient records had been compromised.

"This is not targeted at the NHS, it's an international attack and a number of countries and organisations have been affected," she added.

However shadow health secretary Jonathan Ashworth said the attack was "terrible news and a real worry for patients" and urged the Government to be "clear about what's happened".

Ross Anderson, professor of security engineering at Cambridge University's computer lab, said the incident is the "sort of thing for which the secretary of state should get roasted in Parliament.

"If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that?" Mr Anderson told The Guardian.

Experts say the virus, called Wanna Decryptor, exploits a vulnerability in Microsoft Windows software first identified by American spies at the National Security Agency (NSA).

The tools were leaked on the web earlier this year when hackers dumped a cache of NSA files following a security breach.

Prior to the dump, Microsoft released a fix, or patch, for the issue, although computers that did not install the update, or could not due to the age of their software, would have been vulnerable to attack.

The US Department of Homeland Security said on Friday that the patch, released by Microsoft on March 16, "addresses this specific vulnerability, and installing this patch will help secure your systems from the threat".

In December it was reported nearly all NHS trusts were using an obsolete version of Windows that Microsoft had stopped providing security updates for in April 2014.

Data acquired by software firm Citrix under Freedom of Information laws suggested 90% of trusts were using Windows XP, then a 15-year-old system.

It is not known how many computers across the NHS today are still using Windows XP or recent variants Windows 8 and Windows 10.

Just one day before Friday's attack a doctor warned that NHS hospitals needed to be prepared for an incident precisely of the kind seen.

In an article published in the British Medical Journal, Dr Krishna Chinthapalli, a neurology registrar at the National Hospital for Neurology and Neurosurgery in London, said hospitals "will almost certainly be shut down by ransomware this year".

As the scale of the security breach became clear on Friday afternoon, ambulances were diverted and patients told to avoid some A&E departments.

Staff reverted to pen and paper and used their own mobiles after key systems were affected, including telephones.

A total of 19 English health organisations reported problems, including hospitals and clinical commissioning groups (CCGs) in London, Blackpool, Hertfordshire and Derbyshire.

United Lincolnshire Hospitals NHS Trust said it was forced to cancel all outpatient, endoscopy, cardiology and radiology weekend appointments across its three hospitals.

In Scotland, 11 geographical health boards, including the ambulance service and acute hospital sites, saw their IT networks infected.

At least one health trust found itself named as a victim of the cyber attack despite actually suffering from an unrelated server problem.

Security chiefs and ministers have repeatedly highlighted the threat to Britain's critical infrastructure and economy from cyber attacks.

In February the NHS official responsible for IT security warned that cyber attacks "have and will affect patient care".

Dan Taylor said "health has never paid a ransom" and organisations can recover files using back ups, however it can still lead to "days of cancellations to patient facing services".

In Russia, the Interior Ministry said around 1,000 computers were hit by a cyber attack on Friday.

Several companies in Spain were also crippled by ransomware attacks.

Telecoms firm Telefonica was one of those reporting problems, along with courier firm FedEx.

Last year, the Government established the NCSC to spearhead the country's defences.

In the three months after the centre was launched, there were 188 "high-level" attacks as well as countless lower-level incidents.

Chancellor Philip Hammond disclosed in February that the NCSC had blocked 34,550 potential attacks targeting UK Government departments and members of the public in six months.

Researcher Marco Cova said critics should take the complexity of keeping systems up-to-date into account.

"It's easy to blame people who don't upgrade," he said.

"But in practice things are often more complicated: operations team may not touch legacy systems for a number of reasons; in some cases they may even be unaware that such legacy systems are running in their infrastructure."

The virus's global spread has been slowed by the triggering of a virtual "kill switch" built in to the malware, according to reports.

It is understood the virus searched the web for a web address that, once activated, stopped the worm's transmission. 

According to The Register the domain was activated on Friday.

Home Secretary Amber Rudd said work was ongoing to identify the attackers, and that no patient data had been stolen.

She told BBC Radio 4's Today programme the virus had not been targeted at the NHS, saying the attack "feels random in terms of where it's gone to and where it's been opened".

It has affected 45 NHS organisations, Ms Rudd said.

She added: "Windows XP is not a good platform for keeping your data as secure as the modern ones, because you can't download the effective patches and anti-virus software for defending against viruses.

"CQC (Care Quality Commission) does do cyber checks on the NHS trusts, on hospitals when they do their visits, and they will be advising NHS trusts to move to modernise their platforms and I think that after this experience, I would expect them all to move forward with modernising."

Ms Rudd said the UK was a world leader in cyber security, adding: "So far, all we have seen is patients inconvenienced, some hospitals, some doctors making changes to their daily life.

"But the fact is no data has yet been accessed and the NHS are brilliantly managing to weave through this disruption."

Ms Rudd told BBC Breakfast she could not confirm that all NHS files are backed up.

She said: "I hope the answer is yes, that is the instructions that everybody has received in the past. That is good cyber defence, but I expect, and we will find out over the next few days if there are any holes in that."

She added: "There may be lessons to learn from this but the most important thing now is to disrupt the attack, let's come back to afterwards whether there are lessons to be learned."

She later told Sky News: "It is disappointing that they have been running Windows XP - I know that the Secretary of State for Health has instructed them not to and most have moved off it."

She added: "Where the patient data has been properly backed up, which has been in most cases, work can continue as normal because the patient data can be downloaded and people can continue with their work."

Ms Rudd will chair a Cobra meeting in Whitehall at 2.30pm.