LONDON — Why would doctors rely on computers running ancient software?
Last week’s worldwide cyberattack potentially put lives at risk by paralyzing computers at state-run medical facilities across the U.K. — including many using discontinued Windows XP.
Thousands of operations and appointments had to be canceled as the “WannaCry” malware threatened to delete crucial files unless ransoms of $300 and $600 were paid.
It may seem obvious that hospitals would have robust cybersecurity strategies to prevent any such disruptions.
However, the National Health Service (NHS) is a radically different beast from the U.S. healthcare system.
And the answer — and who’s to blame — differs depending on who you speak with.
Unlike in America, where treatment can result in hefty medical bills, the government-run NHS treats people for free. That is, after you count the £120 billion in taxes (around $155 billion) that pays for the healthcare behemoth each year.
The cyberattack has quickly become another political football in the years-long battle over the funding, remit, and the existential future of the NHS.
For critics of the U.K.’s right-wing Conservative government, the health service succumbed to “WannaCry” due to a lack of funding.
“We are fairly clear that, in at least one of the places heavily affected by the attack, finances and tightness of budgets were the reason why IT investment was rolled back,” said Sara Gorton, deputy head of health at Unison, one of Britain’s largest unions.
Related: How an IT Expert ‘Saved the U.S.’ From Cyberattack
She told NBC News that “the cyberattack is a very tangible example of the impact that finances are having on decision-making and the consequences of underfunding of the NHS.”
Around one-fifth of NHS trusts — the regional bodies that run British hospitals — were affected by the cyberattack.
The malware was able to jump from computer to computer by targeting a weakness in older versions of Windows, as well as more recent systems that hadn’t been updated.
“The biggest problem is every time we think we have something fixed the hackers and criminals develop something new”
Microsoft said the weekend’s attack was powered by an exploit stolen by hackers from the National Security Agency, or NSA. The tech giant released an update on March 14 that fixed this vulnerability — but Windows XP, which Microsoft stopped supporting in 2014, and computers that did not install the recent patch were left exposed.
A Freedom of Information Act request by American software company Citrix last year showed that 90 percent of NHS hospitals had computers that were still running Windows XP.
In short, the evidence suggests that the NHS wasn’t targeted specifically, but merely fell victim on such a large scale because its systems weren’t secure.
Not only do any new updates need to combine with existing applications, they also need to operate seamlessly alongside crucial hardware — such as MRI machines — that is often years old.
The consequences of the system crashing could be catastrophic.
Nick Hulme, the chief executive of the state-run hospitals in the English cities of Ipswich and Colchester, told NBC News that as many as 500 of their 3,000 PCs had been immobilized. However, only about 10 operations were cancelled at his sites.
“The biggest problem is every time we think we have something fixed the hackers and criminals develop something new. Trying to stay one step ahead is a never-ending challenge,” he told NBC News.
Many people regard the NHS as a cherished and essential component of their national identity — perhaps the very essence of what it means to be British (it enjoyed a 63 percent satisfaction rate last year).
But it is far from perfect.
The government has pledged to increase funding, but its own spending watchdog has warned this will not be enough to maintain standards in an already-creaking service treating an aging and growing population.
In the political sphere, the opposition Labour and Liberal Democrat parties have demanded answers from the government, accusing it of skimping on cybersecurity and raiding the NHS infrastructure budget to plug gaps elsewhere.
The government denied these shortcomings, with Health Secretary Jeremy Hunt telling NBC News’ U.K. partner ITV News that “over the last three years there has been a huge effort to improve the resilience of the NHS.”
Prime Minister Theresa May has also been keen to point out that countless other computers at companies and government agencies around the world were also immobilized by the digital assault.
The one thing no one can claim is that they weren’t warned.
In 2014,…