Public Services > Healthcare

NHS IT expert: fund critical legacy system removal, not information governance scrutiny

David Bicknell Published 15 May 2017

Instead of funding more governance scrutiny in the wake of cyber attacks, money would be better spent removing legacy systems that are not cost effective to shift on their own


One IT specialist in the NHS has outlined the challenges for his organisation in coping with last Friday’s cyber attacks.

The specialist indicated that his organisation was not attacked, which he put down both to some luck but also to the organisation’s rapid reaction to Friday’s situation and urgent remedial work.

Discussing information governance responsibility, which has been under discussion following the cyber attacks, particularly in terms of patching and updates, the source said, “Information governance responsibility will vary from trust to trust and includes ICT based information governance and cyber security expertise, alongside the Caldicott Guardian and senior information risk owner. These are senior roles in a hospital and are taken seriously.

“There is a strong rigour around production and review of safety cases and hazard logs for system changes and new uses of data, and hospitals tend to be impressively good with business continuity plans (BCP) to continue operating in a major incident or major loss of systems.”

Asked whether there should be greater scrutiny of information governance, the source said, “No, I think that cost could be put into funding to support the removal of some critical legacy systems that are not cost effective to remove on their own.

“The fact that circa 43 of the 45 hospitals were up and running systems again the next day is impressive in itself.  And the ability of key very large hospitals to continue operating using paper-based BCPs without impacting patient safety suggests to me that the NHS is better prepared than most.  This threat was not specific to legacy systems so correlations between these being the reason the NHS was attacked make little sense,” he added.

The source said, “Despite all the hype about how poorly the NHS was prepared for such an attack, the reality is that it was a zero-day virus that exploited a Microsoft vulnerability that Microsoft only provided a non-critical patch for in March and which many organisations hadn't yet implemented via their quarterly patch cycles.  Had it been labelled critical, most of us would have had it in place by now.”

The source added that remediation involves patching all Microsoft devices, “a task much harder in a 24/7 environment than in many parts of government.  Antivirus signatures are inherently easier to roll out once available.”

In response, Microsoft pointed to information on the patch issued in March on its 'Customer Guidance for WannaCrypt Attacks.'

It also provided a link to the March Security Bulletin.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.