The NHS cyber-attack does not speak well of Conservative competence. It should be borne in mind that this was not an ingenious attack by Russian cyber-terrorists. This was a fairly basic piece of malware that only infected computers with out-of-date operating systems that were not upgraded or properly maintained. It appears that the NHS’s computer system was not upgraded and properly maintained because (i) back in 2010, the Conservative-led government chose not to renew a national contract with Microsoft and (ii) since then NHS trusts have concluded that they could not afford to up-date their Windows operating systems in the face of other pressing financial demands.
Yes, NHS trusts may be to blame but the Department of Health has overall responsibility for the NHS computer system and should have been alert to this risk. Since, Microsoft ceased to maintain and up-date Windows XP in 2014 the risk has been clear.
The NHS system holds vast amounts of highly personal information. It is also clear that medical treatment is contingent upon the proper operation of the computer system. Proper computer security has become a key part of the functioning of the NHS. This is a matter of the utmost importance. And in this context, we need to know if there was a failure by ministers to address properly the risks to the NHS’s IT system. Should more have been done to police NHS Trusts’ apparently deficient IT policies and practice? Where, after all, does the buck stop?