The government has been criticised for cutting IT support for the health service and failing to replace old computer systems. Meanwhile, ministers hit out at NHS bosses for not improving cybersecurity, amid reports that an upgrade that could have prevented the attack was made available a month ago.
This story doesn’t feel too surprising. Anyone who regularly deals with public services in person will probably have seen government employees struggling with outdated computer systems. Certainly, other major state-run organisations have also been hit by the ransomware, including German railway company Deutsche Bahn and the US Department of Homeland Security. But is the public sector really any worse than the private sector at keeping its IT security up to date and avoiding cybercrime?
The recent “WannaCry” attack was made possible by a flaw in the 15-year-old Windows XP operating system. Software manufacturers often provide updates or patches to their products after they discover such a flaw, to prevent cyber-criminals from exploiting it. However, Microsoft stopped routinely updating XP in 2014, and those still using it have to pay for custom support to receive any further patches.
Once the company became aware of the WannaCry flaw, it was quick to release a patch back in March. But because many customers were still using unsupported versions of XP, WannaCry rapidly infected a large number of systems when it emerged in May. Microsoft then made its patch available to all XP users but many of those who didn’t update immediately were caught out. This is exactly what happened within the NHS.