NHS CyberSecurity lessons arising from the worldwide ransomware attack that occurred on the 14th of May is already prompting much debate for the NHS, much of which focuses on the failure of affected organisations to ensure adequate levels of investment on IT systems to mitigate the risk of this event.
The ransomware exploited a known issue with Windows XP, for which a patch had been issued earlier in the year. The biggest news headlines here in the UK concerned the impact this exploit had on the NHS, with a great many organisations appearing to have been caught out by the Windows XP vulnerability.
As is the case when the public sector suffers an adverse event, the call goes out for lessons to be learned, usually with an assumption that these are all new, but inevitably there will be those lessons that have already been learned, but just not put into practice.
Windows XP Legacy
Those that have been around NHS IT for a while will remember the last elected labour government’s implementation of the National Programme for IT (NPfIT) tasked to deliver a standard national NHS IT system. Regardless of what is thought about the success or failure of the programme, it did leave a lasting legacy long after it was cancelled.
Not least with those NHS organisations that had progressed to implementing NPfIT systems and solutions and in doing so, had tied themselves to technology standards defined by the program that could not be easily changed. In the commentary on following the ransomware event it has been highlighted that the legacy of NPfIT Windows XP implementations was the reason so many organisations were adversely affected.
In September 2011, the government announced the acceleration of the dismantling of the National Programme for IT*. Whilst at the time the impact of this decision was not significant, because NPfIT technology was still current and thus supported by providers, it should have perhaps been better recognised that this state was not sustainable in the long term. Especially for Windows XP, because the next version Windows 7 was already available (released Oct 2009) and being adopted across health in non NPfIT legacy environment.
Things finally came to a head for XP when Microsoft announced that it would be ending its patching and maintenance support for the platform in April 2014. Thankfully in acknowledging that there was still a dependency on this technology platform, the government took steps and signed an extra-ordinary deal with Microsoft** that secured continued support for XP across the UK public sector for another 12 months.
Critically, a condition of this agreement, was that any public sector body wishing to take advantage of this extended support arrangement, had to commit to development of a “robust plan” to move off Windows XP, Office 2003 and Exchange 2003 within the year.
Roll forward to 2015 and the next government decision on the matter was just as they had advised, that they would be closing down this extra-ordinary support arrangement ***, and is has to be said for good reason, on the basis that it was felt that continued central government funding of this deal was not consistent with the need to encourage organisations to urgently upgrade or migrate.
The question here however has to be, “was it reasonable to expect trusts to be able to find the funds for wholesale upgrade of unsupported operating systems in such a short time frame (this being equivalent to a single financial year)?
To further compound matters at the time, NHS organisations had been shielded from the full cost of wholesale systems upgrade throughout the time of NPfIT. A national licencing deal with major suppliers like Microsoft, removed the need for software costs to be met locally by NHS organisations ****.
Straight Out the PRINCE2 Textbook
It is accepted best practice that when a pre-existing programme or project is to be closed down, an impact assessment of the consequences should be undertaken. Not least so that the risk can be properly understood and adequate mitigations planned. If nothing else there is nearly always a financial consequence to closing programmes and projects and this is a very good example of one.
The NPfIT programme along with central licensing deals transformed the model of IT investment within the NHS for a decade. Switching these off and closing down the national deals the programme created was inevitably going to have consequences for participating organisations.
Some will argue that the implementation of the extra-ordinary support arrangements for legacy software was an act of risk mitigation. However, was it reasonable in 2014 to expect affected organisations to plan and implement an upgrade or migration of XP in a single financial year, without any additional financial support being provided?
The NHS had already been managing financial pressures for a good number of years before the decision to end XP support was taken. Certainly long enough for organisations to flag this to be a risk of significance, that without additional and extra-ordinary financial support, there was no way they were going to be able to take the steps needed to address the situation accordingly.
In summing up, it is clear that although the NPfIT national licencing deals themselves had been closed down some years earlier in 2010, the impact of this decision on local investment plans going forward, was never properly qualified or understood, and that further opportunities to address this in 2015 were missed and all the way up to 14th of May this year, 7 years on!
Shout to the Top
As an acknowledged risk, the XP issue should have been raised on the Information Governance (IG) Risk Register and flagged as a serious concern to the Senior Information Risk Owner (who by now and as a result of improvements to NHS IG standards) was a role assigned to a senior management representative on the board of the organisation.
Additionally, given the dependence on technology in meeting clinical outcomes, the risk should have also featured on the Clinical Risk Register, which would have flagged it up to the Chief Medical Officer, also a member of the board.
Just a cursory glance at most organisations annual reports and board papers will expose the fact that IT barely gets a mention, certainly any reviewer will be hard pressed to find any mention of XP specifically in the dealings of the boards in any one of the organisations affected, at any stage of the timeframe of this being an ongoing concern.
This therefore exposes a potentially bigger issue in that information technology investment and dependence is not a matter adequately represented at the board level, then or now.
This clearly is a matter of concern, given as the recent event exposed the criticality of the services dependence on the information technology in the performance of its primary function, delivery of treatment and care.
Frustratingly some of the commentary on the event included the phrase “IT is not the primary business of the NHS”, suggesting therefore it is not the NHS responsibility to ensure the reliability and safety of the tools it uses to deliver care, this is clearly nonsense.
It is perhaps partly this attitude that has excluded proper IT representation at the board level? Given the next stage of investment required and proposed by “paperless at the point of care” and “integrated digital health and care plans” and additional dependence on technology this will deliver, it is now time for IT to have a seat at the top table.
Information Governance STILL Maturing?
The NHS has an excellent online tool and system of guidance and assessment addressing information systems, security and good practice management standards (NHS Information Governance Toolkit). The tool is well established having been around and in use for more than 15 years with NHS organisations status reports openly published and available for review.
In April 2014 in a blog article entitled Patient Record Access – A Perspective 2 Years On I set out the more fundamental data protection and information governance challenges that the NHS needed to address to maximise the benefits potential of digital engagement. Not long after the original 2015 target for achieving patient record access was deferred to 2018 and linked to the “paperless at point of care” requirement.
Then and still today, technology innovation is widely acknowledged and accepted to be the primary method by which transformation of current health and social care models, and opportunities to deliver service effectiveness improvements and efficiencies at a substantial scale (£20bn+) going forward is to be achieved.
NHS 2020 digital roadmaps across the country outline ambitious plans addressing technology integration and innovations requirements needed to achieving “paperless at the point of care” and “integrated digital health and care record”. The levels of investment are significant, but then so is the benefits potential. For the first time in the history of health and social care, the technology to support transformation to a more pro-active and well-being orientated model is possible.
Success however will be heavily dependent on the digital engagement of patients and their carer’s and how effectively this is achieved. In this respect information governance will be a key deliverable and factor in how much and how quickly the benefits of patient digital engagement are secured and maintained going forward. Patients will need ongoing assurance that digital engagement is safe, and that their right to privacy is being properly protected.
Of the 33 major NHS organisations (community and acute hospitals) identified to have been affected, all have reported a “satisfactory” rating in the information governance self-assessments completed in March this year, in particular for the following requirements:
|Information Security Assurance|
|14-301||A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed|
|14-307||An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy|
|14-309||Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service – specific measures are in place|
|14-310||Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error|
|14-311||Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code|
|14-313||Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely|
The recent CyberSecurity event serves to remind the NHS, that despite all the good work done in the development of the information security and governance standards and despite all the resources that have been provided to help organisations get good at this, there is so much more to be done, and this too is going to require additional investment at the local organisational level.
Links to Articles