The NHS is working to bring its systems back online after it became the highest-profile victim of a global ransomware attack and faced renewed concern about the strength of its infrastructure.
The National Cyber Security Centre (NCSC) said teams were “working round the clock” in response to the attack, which saw operations cancelled, ambulances diverted, and documents such as patient records made unavailable in England and Scotland.
Prime minister Theresa May and NHS Digital said they were not aware of any evidence patient records had been compromised in Friday’s attack, which is thought to have affected computers in nearly 100 countries.
May said: “This is not targeted at the NHS, it’s an international attack and a number of countries and organisations have been affected.”
However shadow health secretary Jonathan Ashworth urged the government to be “clear about what’s happened”, describing the attack as “terrible news and a real worry for patients”.
The unprecedented attacks appeared to have been carried out by hackers who created ransomware based on a tool stolen from the National Security Agency in the US. The bug called “WanaCrypt0r 2.0” or WannaCry, exploits a vulnerability in Windows. Microsoft released a patch – a software update that fixes the problem – for the flaw in March, but computers that had not installed the security update were vulnerable.
In December it was reported nearly all NHS trusts were using an obsolete version of Windows that Microsoft had stopped providing security updates for in April 2014. Data acquired by software firm Citrix under freedom-of-information laws suggested 90% of trusts were using Windows XP, then a 15-year-old system.
It is not known how many computers across the NHS today are still using Windows XP or recent variants Windows 8 and Windows 10.
About 40 NHS organisations are though to have been affected by Friday’s bug, which was released the day after a doctor warned that NHS hospitals needed to be prepared for an incident precisely of the kind seen.
In an article published in the British Medical Journal, Dr Krishna Chinthapalli, a neurology registrar at the National Hospital for Neurology and Neurosurgery in London, said hospitals “will almost certainly be shut down by ransomware this year”.
Ross Anderson, of Cambridge University, said the “critical” software patch released earlier this year may not have been installed across NHS computers. “If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that?” Anderson said.
Alan Woodward, a visiting professor of computing at the University of Surrey, said the attack’s success was “likely to be because some organisations have either not applied the patch released by Microsoft, or they are using outdated operating systems.”
NHS Digital said on Friday night it was unable to comment on the suggestion.
Marco Cover, a systems security researcher, said critics should take the complexity of keeping systems up to date into account. “It’s easy to blame people who don’t upgrade,” he said. “But in practice things are often more complicated: operations teams may not touch legacy systems for a number of reasons. In some cases they may even be unaware that such legacy systems are running in their infrastructure.”
The same malicious software that hit NHS networks attacked some of the largest companies in Spain and Portugal, including phone company Telefónica, and has also been detected on computers in Russia, Ukraine and Taiwan among other countries. The international shipping company FedEx was also affected.
Kaspersky Lab, a cybersecurity company based in Moscow, estimated that 45,000 attacks had been carried out in 99 countries, mostly in Russia. In a blogpost, it added that the totals could be “much, much higher”.
In the UK, computers in hospitals and GP surgeries simultaneously received a pop-up message demanding a ransom in exchange for access to the PCs.
A warning was circulated on Friday within at least one NHS trust of “a serious ransomware threat currently in circulation throughout the NHS”, but the attack proved impossible to stop. Patient records, appointment schedules, internal phone lines and emails were rendered inaccessible and connections between computers and medical equipment were brought down. Staff were forced to turn to pen and paper and to use their own mobile phones.
Last year, the government established the NCSC to spearhead the country’s defences. In the three months after the centre was launched, there were 188 “high-level” attacks as well as countless lower-level incidents. Chancellor Philip Hammond disclosed in February that the NCSC had blocked 34,550 potential attacks targeting UK government departments and members of the public in six months.