IE 11 is not supported. For an optimal experience visit our site on another browser.

Why 'WannaCry' Malware Caused Chaos for National Health Service in U.K.

The cyberattack has quickly become another political football in the years-long battle over the funding, remit, and existential future of the NHS.
Image: NHS computer system hit in reported cyber attack
An ambulance worker at an NHS hospital in London on Friday.Andy Rain / EPA

LONDON — Why would doctors rely on computers running ancient software?

Last week's worldwide cyberattack potentially put lives at risk by paralyzing computers at state-run medical facilities across the U.K. — including many using discontinued Windows XP.

Thousands of operations and appointments had to be canceled as the "WannaCry" malware threatened to delete crucial files unless ransoms of $300 and $600 were paid.

It may seem obvious that hospitals would have robust cybersecurity strategies to prevent any such disruptions.

However, the National Health Service (NHS) is a radically different beast from the U.S. healthcare system.

And the answer — and who's to blame — differs depending on who you speak with.

Unlike in America, where treatment can result in hefty medical bills, the government-run NHS treats people for free. That is, after you count the £120 billion in taxes (around $155 billion) that pays for the healthcare behemoth each year.

The cyberattack has quickly become another political football in the years-long battle over the funding, remit, and the existential future of the NHS.

For critics of the U.K.'s right-wing Conservative government, the health service succumbed to "WannaCry" due to a lack of funding.

"We are fairly clear that, in at least one of the places heavily affected by the attack, finances and tightness of budgets were the reason why IT investment was rolled back," said Sara Gorton, deputy head of health at Unison, one of Britain's largest unions.

Related: How an IT Expert 'Saved the U.S.' From Cyberattack

She told NBC News that "the cyberattack is a very tangible example of the impact that finances are having on decision-making and the consequences of underfunding of the NHS."

Around one-fifth of NHS trusts — the regional bodies that run British hospitals — were affected by the cyberattack.

The malware was able to jump from computer to computer by targeting a weakness in older versions of Windows, as well as more recent systems that hadn't been updated.

"The biggest problem is every time we think we have something fixed the hackers and criminals develop something new"

Microsoft said the weekend's attack was powered by an exploit stolen by hackers from the National Security Agency, or NSA. The tech giant released an update on March 14 that fixed this vulnerability — but Windows XP, which Microsoft stopped supporting in 2014, and computers that did not install the recent patch were left exposed.

A Freedom of Information Act request by American software company Citrix last year showed that 90 percent of NHS hospitals had computers that were still running Windows XP.

In short, the evidence suggests that the NHS wasn't targeted specifically, but merely fell victim on such a large scale because its systems weren't secure.

Not only do any new updates need to combine with existing applications, they also need to operate seamlessly alongside crucial hardware — such as MRI machines — that is often years old.

The consequences of the system crashing could be catastrophic.

Nick Hulme, the chief executive of the state-run hospitals in the English cities of Ipswich and Colchester, told NBC News that as many as 500 of their 3,000 PCs had been immobilized. However, only about 10 operations were cancelled at his sites.

"The biggest problem is every time we think we have something fixed the hackers and criminals develop something new. Trying to stay one step ahead is a never-ending challenge," he told NBC News.

Many people regard the NHS as a cherished and essential component of their national identity — perhaps the very essence of what it means to be British (it enjoyed a 63 percent satisfaction rate last year).

But it is far from perfect.

The government has pledged to increase funding, but its own spending watchdog has warned this will not be enough to maintain standards in an already-creaking service treating an aging and growing population.

In the political sphere, the opposition Labour and Liberal Democrat parties have demanded answers from the government, accusing it of skimping on cybersecurity and raiding the NHS infrastructure budget to plug gaps elsewhere.

Image: A NHS sign is displayed outside a hospital in central London
A National Health Service sign outside a hospital in central London.Ben Stansall / AFP - Getty Images file

The government denied these shortcomings, with Health Secretary Jeremy Hunt telling NBC News' U.K. partner ITV News that "over the last three years there has been a huge effort to improve the resilience of the NHS."

Prime Minister Theresa May has also been keen to point out that countless other computers at companies and government agencies around the world were also immobilized by the digital assault.

The one thing no one can claim is that they weren't warned.

In 2014, the government wrote to NHS trusts urging them to update their systems.

The letter said it was "essential that all NHS organizations put in place robust plans to migrate away from Windows XP" and other outdated systems by April 2015.

And just days before the attack itself, a neurology registrar based in London gave an eerily prophetic warning of what was about to happen.

"Hospitals will almost certainly be shut down by ransomware this year," Dr Krishna Chinthapalli wrote in the British Medical Journal.

Related: Microsoft Comes Out Swinging at NSA Over Global Hack

Another warning last week came from industry website Digital Health, which warned that outdated software was "not something that [NHS] trusts are going to be able to ignore forever."

It blamed "an infrastructure built upon a lack of true forward thinking, improvements held back by a lack of funding, and perhaps most importantly a lack of any real sense of urgency from those who control the purse strings at the highest level."

Image: The Royal London Hospital
The Royal London Hospital was among the National Health Service facilities where care was disrupted as a result of the cyberattack.NIKLAS HALLE'N / AFP - Getty Images

However, updating the thousands of computers is not as easy as installing a new operating system on a household PC.

New software may be free, but the specialists who install and maintain it aren't. There is also the worry that updates might not be compatible with the NHS' messy patchwork of other systems, applications that have been modified at different times and implemented by different governments through the years.

On Monday, NHS Digital revealed that last month it sent out details of a fix that it said would have protected hospitals from the attack.

But Gorton at Unison told NBC News that many trusts "couldn't afford to invest in the IT patches that would have protected the hospital."

Hulme, the chief executive, agreed that the solution wasn't simple or cheap.

"The updates can be done relatively inexpensively, it’s the manpower costs that we need to consider," he said. "The total cost will really be about the investment decisions we need to make going forward about the protection required, and as an entire system what can we do. The NHS isn’t always terribly good at working together, but I think we have learnt the importance of working together from this.”

Hulme said he was proud of the how staff handled the outage — taking a decidedly low-tech approach that allowed the vast majority of services to continue being provided.

“We did have a contingency for this but the policy was on the computer system, eventually we found a hard copy and moved to a paper-based system for all hospital operations," he said. "We have learnt a lot in terms of dealing with a cyberattack. What I will say is I can’t think of many public or private organization that can provide 95 percent of its services to customers if it suffered a complete loss of IT.”