News Stay informed about the latest enterprise technology news and product updates.

UK government, NHS and Windows XP support - what really happened

In all the debate about the NHS ransomware attack, much has been made of a government decision in 2015 to end a contract with Microsoft to provide support for the ageing Windows XP operating system that was widely in use across the NHS at the time.

Continued use of XP has been highlighted as one of the factors that enabled the ransomware attack – although the bigger issue is the lack of discipline in patching newer versions of Windows, which allowed the attack to target PCs without a fix for a known bug that has been available for two months.

The XP support deal has even become a political issue, with Labour criticising the Conservatives for “cancelling” support for XP. The truth is very different, and sheds light on the deep organisational and structural issues within NHS IT that made a cyber attack on this scale inevitable. It also raises questions about how the prevailing political ideology directing the NHS contributed to the situation.

Computer Weekly has talked to several people directly involved with the decision not to renew the original 2014 support deal with Microsoft – they have asked to remain anonymous – but they provide insights into why the NHS was uniquely vulnerable to this attack.

A purely commercial agreement

The £5.5m XP support contract with Microsoft, signed in 2014, was trumpeted by the Crown Commercial Service (CCS) and the Government Digital Service (GDS) as a helping hand for public sector organisations that had yet to migrate off XP – the end of support had been flagged for years, and Microsoft had long encouraged users to upgrade to newer versions of Windows.

However, the contract was purely commercial – a volume pricing agreement. It added no new capabilities for XP support to that which individual government bodies already had. CCS simply negotiated a pricing deal – a volume discount – to take advantage of the large number of XP support contracts already in existence, and thereby to reduce the overall cost to the government IT estate.

GDS used this opportunity to put pressure on laggards to upgrade XP, saying effectively they had one year left to do so. GDS, however, had no mandate or ability to force any organisations to upgrade.

A year later, CCS proposed a renewal of the deal, but this was turned down by a group called the Technology Leaders Network (TLN), which was set up by GDS for tech chiefs across Whitehall to collaborate and, where appropriate, make collective decisions on IT policy.

What’s important is this: the TLN did not cancel support for Windows XP. They decided to end the volume pricing deal, leaving any organisation still using XP to continue with XP support if they chose to do so. This was clearly communicated to affected departments.

The tech leaders felt the volume pricing deal was acting as a “comfort blanket” for laggards who would prefer – for their own local reasons – not to have to worry about upgrading from XP. There was never a central decision to end support for XP – any such decisions were left entirely to local decision-makers.

Relations between GDS and Microsoft at the time were also not good. Microsoft was reeling from GDS decisions around open standards that threatened the supplier’s dominance of government IT. GDS, in turn, felt Microsoft was behaving badly, unnecessarily playing hardball in its commercial relationship.

The extended support deal already had fees set to double every six months after April 2014 until April 2016, when those charges would have been renegotiated.

The contract agreed by CCS in 2014 was purely about saving money – not about extending support for XP beyond what was already in place. Its cancellation was not about ending support for XP, purely about putting responsibility for the decision to pay for XP support back on those people who still used the system.

Every one of the tech chiefs agreed to the decision to end the contract. Each took responsibility for ensuring any XP users in their departments were fully aware of the implications.

Furthermore, GCHQ had advised the TLN that the XP support deal was practically worthless in terms of protecting XP users from IT security vulnerabilities. While the contract covered the availability of critical patches for XP, GCHQ said there were so many vulnerabilities in the ageing software, that even those critical patches would never be enough to protect users.

GCHQ was well aware that XP was, and would remain, an insecure and vulnerable system whether there was a support deal in place or not.

IT governance in the NHS

Crucially, however, while the Department of Health (DoH) was represented in the TLN, the NHS was not. GDS had no governance role over IT in the NHS. The DoH tech chief told the meeting he could not take a decision on behalf of the NHS – although clearly he could communicate the decision.

The NHS, meanwhile, was still grappling with the reforms introduced by the 2012 Health and Social Care Act, which controversially separated decision-making powers in the NHS, and removed legal responsibility for healthcare from the secretary of state for the first time. NHS organisations were effectively federated, with greater local control over budgets and decision-making, delivering services “commissioned” by GP-led Clinical Commissioning Groups.

As a result, there was no longer any central organisation with responsibility for IT in NHS trusts. The Health and Social Care Information Centre (HSCIC) – now NHS Digital – is responsible for certain central issues, such as data standards, managing the run-down of contracts from the failed National Programme for IT, and driving digital transformation. HSCIC had no responsibility to set technical standards for IT across the NHS, in the way that GDS was able to do across Whitehall.

GDS was worried enough about this situation that it met with then DoH minister George Freeman, to emphasise the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.

One source claimed that secretary of state for health Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in such a heavily federated NHS organisation, but it was never a priority at that level. “Hunt never grasped the problem,” said the source.

As a result, accountability for IT standards – including security – varies widely in the NHS. Not all trusts have a single person with responsibility for IT on their board. There is no way to know whether trusts include information security on their risk registers unless they choose to publish them.

As Computer Weekly has reported elsewhere, there were further warnings about the security risks to the NHS, including from national data guardian Fiona Caldicott, and from CareCERT, the NHS Digital organisation that now co-ordinates IT security activity across the health service.

But ultimately, decisions and priorities are set locally by managers in each NHS organisation. As we now know, there were plenty who failed to recognise the cyber security risks they faced, and only now has the inevitable end result been made painfully apparent.

 

Join the conversation

9 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Thank you for putting this in the public domain in such a clear and readable way. Once upon a time there was a central body with a remit to set technical standards across the NHS. It was called the NHSIA. It was scrapped by Tony Blair. Hence the comments in my first blog entry on this incident  http://www.computerweekly.com/blog/When-IT-Meets-Politics/An-incident-waiting-to-happen-the-cyber-crippling-of-the-NHS 
Cancel
The problem with Microsoft XP is not "XP" but "Microsoft".
The UK Government really needs to cut dependence on propriety software which is itself ransom-ware, and instead commit resources to ongoing maintenance of Linux and related community software.
Cancel
are you kidding? 
Cancel
nope. gov needs to operate commercially available common technology standards that are robust, secure and enterprise grade. like a real business - not mess around with open source platfoms that have no R&D, roadmap, support etc. 
Cancel
This is not true. SuSe, Red Hat and others do fully supported Linux distributions or the Government may find it even more secure to compile their own.
Why use Microsoft stuff which is probably riddled with back-doors for the CIA and other US agencies?
Cancel
So quick to dismiss alternatives to the current stranglehold that MS has on the NHS. The problem lies not with the alternatives. Red Hat, Suse etc are all perfectly good well-supported products. The problem is the risk-averse culture in NHS IT and the lack of investment in skills and training to allow sensible staged deployment or phased migration away from Microsoft. I believe some elements of the Spine are based on Linux - proof, if it was needed, that we can build useful stuff if given the freedom to do so.
Cancel
"The lady doth protest too much, methinks."

https://governmenttechnology.blog.gov.uk/2015/05/22/update-on-the-customer-support-agreement-for-windows-xp/
Cancel
NHS Ubuntu is, at least, part of an answer. The Microsoft monoculture is expensive (and, yes, I'm aware of the specious arguments about 'cost of ownership'), wasteful (upgrades and new hardware for each Windows iteration, power requirements) and opaque. Also, it means that 'strategy' (if any) is driven exclusively by an external supplier.

The fragmentation of responsibility, which was an attempt at subsidiary, is rather undesirable in many ways but it opens the door to some innovation as well.
Cancel
From my experience, the main reason why many NHS organisations still run XP devices on their IT estate is that many vital applications within the NHS are not compatible with new versions of windows. Upgrading the devices will make such applications not available which presents a clinical risk. The focus should be on NHS working with suppliers to ensure vital applications are not operating system dependent.   
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close