In all the debate about the NHS ransomware attack, much has been made of a government decision in 2015 to end a contract with Microsoft to provide support for the ageing Windows XP operating system that was widely in use across the NHS at the time.
Continued use of XP has been highlighted as one of the factors that enabled the ransomware attack – although the bigger issue is the lack of discipline in patching newer versions of Windows, which allowed the attack to target PCs without a fix for a known bug that has been available for two months.
The XP support deal has even become a political issue, with Labour criticising the Conservatives for “cancelling” support for XP. The truth is very different, and sheds light on the deep organisational and structural issues within NHS IT that made a cyber attack on this scale inevitable. It also raises questions about how the prevailing political ideology directing the NHS contributed to the situation.
Computer Weekly has talked to several people directly involved with the decision not to renew the original 2014 support deal with Microsoft – they have asked to remain anonymous – but they provide insights into why the NHS was uniquely vulnerable to this attack.
A purely commercial agreement
The £5.5m XP support contract with Microsoft, signed in 2014, was trumpeted by the Crown Commercial Service (CCS) and the Government Digital Service (GDS) as a helping hand for public sector organisations that had yet to migrate off XP – the end of support had been flagged for years, and Microsoft had long encouraged users to upgrade to newer versions of Windows.
However, the contract was purely commercial – a volume pricing agreement. It added no new capabilities for XP support to that which individual government bodies already had. CCS simply negotiated a pricing deal – a volume discount – to take advantage of the large number of XP support contracts already in existence, and thereby to reduce the overall cost to the government IT estate.
GDS used this opportunity to put pressure on laggards to upgrade XP, saying effectively they had one year left to do so. GDS, however, had no mandate or ability to force any organisations to upgrade.
A year later, CCS proposed a renewal of the deal, but this was turned down by a group called the Technology Leaders Network (TLN), which was set up by GDS for tech chiefs across Whitehall to collaborate and, where appropriate, make collective decisions on IT policy.
What’s important is this: the TLN did not cancel support for Windows XP. They decided to end the volume pricing deal, leaving any organisation still using XP to continue with XP support if they chose to do so. This was clearly communicated to affected departments.
The tech leaders felt the volume pricing deal was acting as a “comfort blanket” for laggards who would prefer – for their own local reasons – not to have to worry about upgrading from XP. There was never a central decision to end support for XP – any such decisions were left entirely to local decision-makers.
Relations between GDS and Microsoft at the time were also not good. Microsoft was reeling from GDS decisions around open standards that threatened the supplier’s dominance of government IT. GDS, in turn, felt Microsoft was behaving badly, unnecessarily playing hardball in its commercial relationship.
The extended support deal already had fees set to double every six months after April 2014 until April 2016, when those charges would have been renegotiated.
The contract agreed by CCS in 2014 was purely about saving money – not about extending support for XP beyond what was already in place. Its cancellation was not about ending support for XP, purely about putting responsibility for the decision to pay for XP support back on those people who still used the system.
Every one of the tech chiefs agreed to the decision to end the contract. Each took responsibility for ensuring any XP users in their departments were fully aware of the implications.
Furthermore, GCHQ had advised the TLN that the XP support deal was practically worthless in terms of protecting XP users from IT security vulnerabilities. While the contract covered the availability of critical patches for XP, GCHQ said there were so many vulnerabilities in the ageing software, that even those critical patches would never be enough to protect users.
GCHQ was well aware that XP was, and would remain, an insecure and vulnerable system whether there was a support deal in place or not.
IT governance in the NHS
Crucially, however, while the Department of Health (DoH) was represented in the TLN, the NHS was not. GDS had no governance role over IT in the NHS. The DoH tech chief told the meeting he could not take a decision on behalf of the NHS – although clearly he could communicate the decision.
The NHS, meanwhile, was still grappling with the reforms introduced by the 2012 Health and Social Care Act, which controversially separated decision-making powers in the NHS, and removed legal responsibility for healthcare from the secretary of state for the first time. NHS organisations were effectively federated, with greater local control over budgets and decision-making, delivering services “commissioned” by GP-led Clinical Commissioning Groups.
As a result, there was no longer any central organisation with responsibility for IT in NHS trusts. The Health and Social Care Information Centre (HSCIC) – now NHS Digital – is responsible for certain central issues, such as data standards, managing the run-down of contracts from the failed National Programme for IT, and driving digital transformation. HSCIC had no responsibility to set technical standards for IT across the NHS, in the way that GDS was able to do across Whitehall.
GDS was worried enough about this situation that it met with then DoH minister George Freeman, to emphasise the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.
One source claimed that secretary of state for health Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in such a heavily federated NHS organisation, but it was never a priority at that level. “Hunt never grasped the problem,” said the source.
As a result, accountability for IT standards – including security – varies widely in the NHS. Not all trusts have a single person with responsibility for IT on their board. There is no way to know whether trusts include information security on their risk registers unless they choose to publish them.
As Computer Weekly has reported elsewhere, there were further warnings about the security risks to the NHS, including from national data guardian Fiona Caldicott, and from CareCERT, the NHS Digital organisation that now co-ordinates IT security activity across the health service.
But ultimately, decisions and priorities are set locally by managers in each NHS organisation. As we now know, there were plenty who failed to recognise the cyber security risks they faced, and only now has the inevitable end result been made painfully apparent.