15 May 2017

On 12 May one in five NHS trusts were impacted by a ransomware cyber-attack. Lucy Campbell argues that government needs to think about accountabilities and capabilities, not just technology, to reduce future risks.

Forty-seven NHS trusts are among the global victims of the ransomware Wanna Decryptor. Microsoft has called on governments to see the attack as a “wake-up call” to improve their security and ensure systems are updated. But only last summer the Care Quality Commission and Dame Fiona Caldicott, National Data Guardian, warned Health Minister Jeremy Hunt of a "lack of understanding of security issues". Questions remain: why is the NHS still vulnerable and what can be learnt for the future?

Managing legacy

One of the problems with digital government is reforming the technology infrastructure which underpins its services (‘legacy’). There has been much speculation about how the continued use of Windows XP operating systems within the NHS contributed to the cyber-attack. Although only 4.7% of NHS devices use Windows XP, these are spread across 90% of trusts. Computers that have not been updated with Microsoft’s latest software were susceptible to the ransomware. Meanwhile, NHS legacies are further complicated by the patchwork of contracts across trusts. This digital fragmentation is in keeping with the scale of fragmentation within the NHS itself.

Accountabilities and standards

The NHS is in a “legacy nightmare”, but these technology problems have been exacerbated as no central organisation is responsible for digital in NHS trusts. Following the end of the 2015 contract with Microsoft, individual trusts have been responsible for their own upgrades. Since the attack both the Prime Minister and the Security Minister, Ben Wallace, have re-affirmed these responsibilities, saying central government provided £50 million to support NHS IT networks. Although the Government Digital Service (GDS) digital service standard states organisations must “address the security level, legal responsibilities, privacy issues and risks associated with the service”, this has been applied inconsistently across the NHS. The contrast with central government departments – which have not been affected by the ransomware – shows how much more needs to be done to spread digital standards across the public sector.

Capability and capacity

The existence of a new technology is not enough for take-up: change needs to be adaptive, requiring long-lasting engagement and individuals championing new technology. Moving away from legacy platforms requires time and skills which individual NHS trusts may lack or be unable to resource given current pressures. Furthermore, the financing of the NHS creates short time horizons and complicates the iterative processes and spending required for most IT upgrades.  

What next?

In our report, Making a success of digital government, we identify a number of challenges facing digital government. The failure to coherently approach several of these challenges (moving to full-scale transformation, tackling IT legacies and building a digitally capable workforce) in the wider public sector has left the NHS vulnerable. The next government on 8 June will need to:  

  • affirm and focus its commitment to digital technology
  • clarify who will take responsibility for supporting and enforcing standards, including security
  • continue to develop the digital professions and build expertise across the public sector.
Further information

We'll be publishing our second report on digital government later this year. 


It's not about Windows XP, most affected machines were Windows 7.

The vast majority of computers on NHS networks are not doing some legacy specialist task, they are doing mundane admin office work. They simply were not patched. It is that simple. They probably didn't need SMB1 running anyway, it should be disabled on every computer that does not need it, this has been advised for a long time. Are they not using VLANs either?

Software to mitigate the risk of ransomware has been available for a long time. I've been running HitmanPro.Alert for well over a year since Locky spread. The enterprise equivalent is Sophos Intercept X.

Government can throw as much money as they like at the NHS, but it's giving incompetent people a blank cheque. Typical "solution" to the NHS problem.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.