The procurement angle behind the NHS ransomware attack

Last week's (and today's?) ransomware attack on the NHS has a procurement angle to it. It is not the only one and maybe not the most important but procurement mattered nonetheless. Here's why:

1. Vendor lock-in

All compromised computers ran either Windows XP (unsupported) or more recent versions that have not been patched up to fix the vulnerability. There maybe very good reasons for both situations, such as critical systems depending on software available only for Windows XP; medical devices only having drivers for Windows XP; uncertainty if patching would create problems elsewhere.

Those are all valid reasons to have both XP and more modern unpatched computers. They are, however, a good example of what happens when public sector falls prey to vendor lock-in. By throwing its lot with Microsoft and equipment vendors that only support a legacy OS like XP, the NHS is no longer in full control of its decision making. It cannot decide when to patch, what to patch or when to ask another supplier to step in and help solve any problems. The NHS is at the mercy of those external players which do not have their interests aligned. Microsoft wants to sell Windows 10 copies, medical device vendors want to sell more modern machines. Even if medical device vendors have support contracts for their equipment, those may not include software updates (remember Windows XP is 15 years old) or it may not be technically feasible to update the software on those devices to make it compatible with newer versions of Windows.

I have long harped about the risks arising from possible vendor lock in on innovation contracts, but current lock in is surely a lot more important in practice. In addition, last week's attack is also another example of the risks of accepting commercial secrecy as a given in public contracts.

2. The XP support contract

Microsoft stopped Windows XP mainstream support in 2014, and started charging organisations significantly sums of money to keep issuing patches for XP with consultancy/service contracts. The UK Government had a £5.5M contract with Microsoft for a year of support:

“We have made an agreement with the Crown Commercial Service to provide eligible UK public-sector organisations with the ability to download security updates to Windows XP, Office 2003 and Exchange 2003 for one year until 8 April 2015,” said a Microsoft spokesperson.

The UK's custom support agreement was not renewed or extended in April 2015, perhaps due to the costs involved: allegedly Microsoft double the cost from $200/machine to $400/machine and perhaps the UK Government was unable to negotiate a reduction on unit costs. Perhaps they even did not know how many computers in the public sector needed patching, making any negotiation difficult. As a comparison, the US Navy was paying Microsoft $9.1M for support until July 2016 and the extension for 2017 would have increased the cost once more.

From April 2015 onwards, all UK public sector XP machines became proverbial sitting ducks. The magnitude of the problem for the NHS was known since September 2016, when the Motherboard published an article based on a FoI request:

Motherboard has found that at least 42 National Health Service (NHS) trusts in England are still using the Windows XP operating system, with many of them confirming that they no longer receive security updates for the software. Legal experts say that the NHS hospitals may be in breach of data protection regulations.

As it happens the attack hit between 40 and 48 NHS trusts in England and I am sure that is not a coincidence. I suspect there is a significant overlap between those that were still using XP in September 2016 and the trusts hit last week.

I am not a data protection expert but would not be surprised if those Trusts were in violation of their obligations and remain less than assured about personal medical data having been stolen not in this attack but by others exploiting the same vulnerability since it was disclose over a month ago.

3. (Dis)Organisation and competing priorities

The final procurement angle is one of disorganisation and competing priorities. Having a decentralised health system in a day and age where IT is becoming more complex (and expensive) to manage well is a disaster (or two) waiting to happen. Procurement itself is becoming ever more complex - partly because of rules, partly because of bolt on policies, partly because of what is being procured is becoming more complex as well - and those two should dictate a move to a more centralised model.

I am not claiming that centralisation would magically solve the problems (funding would remain an issue) but that at least makes it possible to have somewhere the necessary expertise to do procurement and IT well. As it stands we expect each and all NHS trust to have that (and more) expertise on tap at any given moment. Since complexity is just going to increase (smart medical devices anyone?) the future looks grim.

Finally, time and time again I have seen IT managers pleading for resources to secure networks and/or upgrade/test their equipment. It is always a tough sell as the key decision makers simply do not understand the risks and what is at stake, preferring instead t allocate resources to priorities they understand and where they understand risk/consequences. Maybe on the NHS that will change going forward.

PS: A bit of perspective is important though. Let's not forget that those institutions have been victims of an attack, which may well constitute a criminal activity. If we should not blame victims of other crimes, the same standard should apply to the institutions involved on this.