NHS computers still run system attacked by WannaCry hack

The majority of NHS health boards in Scotland are still operating outdated computer systems despite last year's crippling cyber attacks which exploited a flaw in the programme.

Edinburgh Royal Infirmary's A&E Department. Lothian has by far the highest proportion of computers running XP. Picture: Greg Macvean

A total of 11 out of 14 authorities confirmed through a Freedom of Information (FoI) request that they still operate Windows XP, which was targeted by criminals using malicious ransomware software known as WannaCry.

Almost 3,000 out of 19,251 computers (15 per cent) across NHS Lothian continue to run Windows XP, making the health board the most vulnerable to a further attack.

Sign up to our daily newsletter

The i newsletter cut through the noise

Microsoft ended support for Windows XP in April 2014. The last major security update was carried out as far back as 2008. Last May, Microsoft released a one-off patch for XP to prevent users sharing files that were being used to spread the ransomware virus across the world, including the UK-wide NHS infrastructure.

Shadow health secretary Miles Briggs said it was “completely irresponsible” to be running out of date computer programs.

“The cyber attacks last May affected 11 of the 14 health boards in Scotland and NHS Lothian was fortunate not to have been hit,” he said. “NHS Lothian has by far the most computers running on Windows XP, that no longer runs security updates, leaving NHS Lothian open to cyber attack.”

Half of the NHS boards in Scotland failed to provide a date for which they would phase out the Windows XP system and Police Scotland claimed an exemption from the FoI on the basis that “disclosure would provide those intent on disrupting police activities with enough information to plan and execute a targeted attack”.

Hackers often demand its victims pay a ransom to access their frozen files or to remove harmful programs. They dupe users into clicking on a fake link – whether it’s in an email or on a website, causing an infection to corrupt the computer.

A Scottish Government spokesperson said: “Any suggestion that NHS Lothian has been left ‘at risk’ are simply not true. Scotland’s public sector organisations take cyber security very seriously. Our public sector action plan on cyber resilience, produced in partnership with the National Cyber Resilience Leaders’ Board, sets out common baseline measures that all public sector organisations – including NHS boards – are currently working towards. From May 2018 the EU Security of Network and Information Systems Directive will come into effect. This will set out robust cyber resilience requirements. A body will be established which will be responsible for regulating NHS boards’ compliance with these requirements.”