Saturday, May 13, 2017

Why the NHS ransomware shambles was an accident waiting to happen

I watched the news unfold on Friday afternoon.  A handful of hospitals had been by the WannaCry Decryptor ransomware virus, transmitted by email in a massive, international wave that began a few hours earlier.  As more and more people opened their emails, the virus spread exponentially, eventually affecting tens of hospital trusts and more than 70 countries worldwide.

Of course, I deplore any attacks, especially  on such critical infrastructure and think the authors of the attack should be found and brought to justice.  But there's no denying this is partly the fault of the NHS.

Many top security specialists have been warning for years that a critical IT incident is an accident waiting to happen, with the latest report published just two days prior to the attack.

The NHS have known for years that running insecure operating systems (XP) was a massive security risk, and yet their money was spent on maintaining PFI contracts and paying overblown management consultants rather than investing in their infrastructure.  As the NHS started to creak alarmingly in the latter half of 2016, even less money was available and the ethos was make do and mend.

Meanwhile, some genius thought up the Rate Caps, the answer to all their prayers.  If we pay staff less, they reasoned, especially external staff, we will save money!  Unfortunately what they failed to see, and what was clear to everyone else, was that paying staff less would drive them away, leaving gaps in service - including IT, especially when the new rates were around 60% of the old ones.

Unfortunately, the NHS in particular has a habit of recruiting staff from their existing pool, meaning many IT personnel came from clinical backgrounds.  Nothing wrong with that, you might say, but when your PC is Cryptolockered, who do you want to fix it - an IT specialist with years of training and qualifications or a nurse-turned-password-resetter?

The final nail in the coffin was the recent IR35 changes, and more particularly the decision by senior NHS managers to classify all contractors as caught by the legislation.  This ensured that any contractors remaining couldn't afford to stay, as they'd automatically become liable for 40% tax on not only their earnings but their past earnings too, irrespective of how much corporation tax their limited company had already paid.  This meant an effective tax of 60%+ on earnings, and the effect was immediate.  Contractors didn't renew and staff left in waves.  One estimate is that the MoD lost over 98% of contractors in this way, and there have been ramifications throughout all public sector areas due to staff shortages.  This left the burden on permanent staff, and they failed spectacularly.

At the time of writing our Home Secretary is chairing an emergency meeting of COBRA to work out an appropriate response.  The real work will be done by hundreds of underquipped NHS IT workers over the weekend.  But the appropriate response would be to identify and publicly shame the management idiots who prioritised cost saving over patient lives, and who have no ability to see the consequences of their actions.