A SCOTS health board investigating the causes of a widespread cyber-attack found that hundreds of their computers were still using the 16-year-old Windows XP operating system which was too old to accept a vital security patch.
Almost 500 patient appointments and procedures were cancelled when NHS Lanarkshire computers were infected by the WannaCry ransomware in May. It was the most seriously affected health authority in Scotland.
The health board was also hit by a further cyber-attack in August which led to 184 cancelled appointments.
Images like this which surfaced in England were thought to have appeared on computer screens
The WannaCry ransomware, which affected about 150 countries in May, took over user files, threatened to delete them within seven days and demanded $300 worth of the online currency Bitcoin to save them.
A report on the May problems has revealed that the vital patch which blocked WannaCry had not been fully rolled out.
A Microsoft patch issued in March 2017 which blocked WannaCry was being tested by the eHealth Team at the time of the attack, according to a health board review.
It had been deployed on GP servers but had not been rolled out due to "ongoing testing and limited resources to deploy the patch sooner".
But the review also found that 400 NHS Lanarkshire computers were still using Windows XP and could not accept the Microsoft patch that blocked WannaCry. Microsoft had since made a patch available for XP.
Reviewers said nearly half of the computers were required to run Windows XP as they were "supporting medical devices which could not operate on more up to date software", making them "particularly vulnerable".
Previously a software audit reported there were no PCs or laptops with XP installed in NHS Lanarkshire, but the review discovered that the software used to undertake the audit was "not functioning correctly and therefore not reporting correctly".
All support for Windows XP ended on April 8, 2014 and some experts describe it as "obsolete".
The reviewers said it was "important to note" that as a result no security patches would be available for the operating system.
The review said: "Due to the business critical nature of our IT systems and the heightened risk of malware attacks, it is important that future strategic investment decisions made by the board take due cognisance of this. It is important that given the increasing dependence on eHealth solutions that the board takes a holistic approach to its investment decisions."
It said that the current IT hardware estate and software systems should be reviewed to ensure that they have the latest software updates installed and that there is a reliable system in place to detect any out of date software.
It said that in "exceptional circumstances" it is recognised that some clinical systems continue to operate on out of date software.
But to minimise the risk this presents the reviewers said it should be moved to a segregated area of the network.
The report said no data was stolen during the incident and it is believed no data was "lost or unrecoverable".
IT teams were able to "cleanse" all infected PCs in the week following the incident.
NHS Lanarkshire has said it had taken "prompt and robust action" following the attack which helped limit the impact of the August malware incident.
Calum Campbell, NHS Lanarkshire chief executive, said: “We apologise to any patients affected by the May and August incidents. Our staff went above and beyond during these incidents to successfully minimise the inconvenience to patients and quickly restore our IT systems. The integrity of our patient data was maintained in both cases.
“Every organisation throughout the world needs to recognise and prepare for future cyber threats of this kind. Our experience, detailed analysis and learning from both incidents along with robust actions to enhance our cyber security mean that NHS Lanarkshire is much better placed to meet and respond to these challenges.”
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel