We agree with Martin et al. that the NHS must urgently improve the state of cybersecurity in the face of constant threat of cyberattack from a plethora of forms of malware. The recent “Wannacry” ransomware worm is only the latest example of a cyberattack on healthcare organisations, albeit a particularly damaging one.
Much has been made of the impact of Wannacry on the NHS, with c. 47 NHS organisation severely affected. However, it should not be forgotten that there have been an estimated 200,000 victims in approximately 150 countries. Large private sector organisations were also affected e.g. Spain’s Telefonica, a major telecoms company; Nissan, a global car manufacturer, FedEx, an international shipping company & Renault, another major car manufacturer.
Infections with Wannacry were not limited to the hard-pressed NHS.
Martin et al. echo the mass media’s focus on the continued use of the obsolete Microsoft Windows XP operating system in the NHS. Windows XP was launched in 2001 & support, including security updates ceased in April 2014. From a cybersecurity point of view, continuing to rely on this 16 year-old operating system is indefensible, but not solely because of Wannacry. To quote a Microsoft’s Director of Security, writing in 2013: “…the security mitigations built into Windows XP (service pack 3) are no longer sufficient to blunt many of the modern day attacks we currently see.”.
The Government has been criticised for ceasing to fund continued software updates for hopelessly outdated Windows XP systems in the NHS in April 2015. This meant no new updates would have been available to NHS computers running Windows XP, increasing their vulnerability.
However, if the Government had continued to pay Microsoft for these updates, the NHS would have had little incentive to finally abandon Windows XP and update to a more modern operating system. Continued funding of these updates would have led to a quite literal false sense of security and perpetuated the use of obsolete, insecure software in the NHS.
Windows XP is not the only version of Microsoft Windows which is potentially vulnerable to Wannacry. More modern versions of Windows up to and including Windows 8.1, and Windows Server 2012 are also vulnerable to Wannacry if unpatched. It is not enough to use relatively modern versions of Windows; these installations must be kept updated with the latest software patches.
Martin et al. say that the governance of cybersecurity in the NHS is unclear. They talk of the (cybersecurity) “…buck being passed from one organisation to another…”.
However, it is clear that NHS organisation have a legal responsibility to protect the confidentiality of the patients they look after. NHS organisations must also maintain business continuity even in adverse conditions in order to effectively deliver healthcare. This means that the cybersecurity of NHS organisations must be of a reasonable standard across the board.
In the aftermath of one of the most significant global cyberattacks in recent memory, the NHS will almost certainly do what is obviously necessary and review the state of cybersecurity across all NHS organisations. This is not a time for finger-pointing or shroud waving at the NHS or Government. It is time for NHS leaders to wake up to the multifarious cyber threats knocking on their digital doors & secure their electronic estates.
 Effective cybersecurity is fundamental to patient safety. Martin G, Kinross J, Hankin C. BMJ 2017;357:j2375 doi: https://doi.org/10.1136/bmj.j2375
 What is WannaCry and how does ransomware work? McGoogan C, Titcomb J, Krol C. The Telegraph 18/5/17 http://www.telegraph.co.uk/technology/0/ransomware-does-work/
 More disruptions feared from cyber-attack; Microsoft slams Government secrecy. Reuters 15/5/17 http://www.reuters.com/article/us-britain-security-hospitals-idUSKBN18820S
 The risk of running Windows XP after support ends April 2014. Rains T. Microsoft Secure Blog. https://blogs.microsoft.com/microsoftsecure/2013/08/15/the-risk-of-runni...
 Wannacry ransomware campaign exploiting SMB vulnerability. CERT-EU security advisory 2017-012. 18/5/17 http://cert.europa.eu/static/SecurityAdvisories/2017/CERT-EU-SA2017-012.pdf
 Data Protection Act 1998 http://www.legislation.gov.uk/ukpga/1998/29/contents
Competing interests: The views expressed are our own and not those of our employer(s).