Years of underfunding, together with an ageing and growing population, have placed immense strain on the NHS, and UK residents are acutely aware of the service’s current challenges. Budget reductions have forced the NHS to cut spending where possible, but the recent WannaCry ransomware attack — which demanded $300 to unlock each infected computer — exposed how far some of those cuts went, particularly in IT.
An NHS source confirmed the attack exploited a vulnerability in the now-unsupported Windows XP. That exploit was one of several cyber tools hoarded by the US government’s NSA and later leaked. Microsoft issued a patch for supported versions of Windows (Vista and later) in March, but machines still running XP remained vulnerable.
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” wrote Brad Smith, Microsoft’s President and Chief Legal Officer, in a blog post. He compared hoarded cyber tools to conventional weapons, arguing that leaving such exploits undisclosed risks widespread harm.
Our source explained that the NHS’s cautious approach to deploying updates contributed to the problem. Reluctance to roll out patches quickly — partly driven by shortages of staff with appropriate expertise — left systems exposed. Budget constraints have reduced the numbers of staff capable of managing and testing updates, creating a situation where security fixes were delayed or not applied.
A phased rollout strategy could have mitigated the risk: staging updates across non-critical systems first and using patched machines as fallbacks would reduce the chance of a single update causing widespread disruption. In several trusts, however, legacy servers still require Windows XP-based clients. These outdated machines should be isolated to local networks without internet or file-sharing access, because they are not suitable for connected environments.
Insufficient security allowed WannaCry to spread through trusts nationwide with minimal resistance, taking offline computers used for vital medical functions such as diagnostic imaging and analysis. An anonymous NHS worker told the BBC: “Absolute carnage in the NHS today. Two Hyperacute stroke centres (the field I work in) in London have closed as of this afternoon. Patients will almost certainly suffer and die because of this.” Another staffer reported an urgent neurosurgery referral could not proceed because clinicians could not view scans — a stark example of how dependent stroke and emergency care are on IT systems.
According to our source, the attack likely entered NHS systems via email. The NHS’s email services are provided by Accenture, and our source says malware frequently evades the Trend Micro antivirus they use. Known malicious relays and spam are sometimes still permitted through filtering. Late last year an Accenture email issue sent a blank message to 850,000 NHS addresses, triggering massive reply-all traffic and delaying message delivery by up to seven hours in some cases — an incident that highlighted weaknesses in email reliability and filtering.
In 2014 the UK government paid Microsoft £5.5 million to continue providing support for Windows XP for another year, hoping trusts would use the extra time to migrate to newer, more secure operating systems. However, intelligence agency GCHQ warned that even with extended support for critical patches, XP’s many inherent vulnerabilities made it impossible to secure effectively with a few fixes.
A British researcher using the handle @MalwareTechBlog partly slowed this variant of WannaCry by registering a domain embedded in the malware’s code. The domain acted as an accidental “kill switch” and temporarily halted the outbreak, but attackers promptly adapted and variants without the same flaw have since been observed.
While the NHS was only one of many victims in this global attack, the incident makes clear that cutting corners on IT security carries severe risks. As the Internet of Things expands and more devices connect to critical infrastructure, security needs to be prioritised to prevent harm. In health systems, the stakes are particularly high: inadequate cybersecurity can translate directly into harm for patients.
Do you think WannaCry should have been prevented? Let us know in the comments.