NHS could be in breach of Data Protection Act over Ransomware attack

NHS ransomware

The recent ransomware attack on the NHS may leave the organisation open to prosecution under data protection laws.

Rumours are circulating that NHS Trusts across the UK are still using the outdated and unsupported Windows XP operating system, for which the creators – Microsoft – ended support in April 2014. Windows XP no longer receives updates from Microsoft including the crucial MS17-02 update which the company said “resolves vulnerabilities in Microsoft Windows” the “most severe of the vulnerabilities could allow remote code execution if an attacker runs a specially crafted application”.

In effect, the NHS have left some computers open to attack by using outdated, old and insecure software.


Possible breach of the Data Protection Act

Under the laws of the Data Protection Act (DPA), Data Holders (in this case NHS bosses) are obliged to ensure that any personal data held in relation to patients is kept safe and secure to prevent it falling into the wrong hands.

If a computer system is vulnerable enough to allow hackers to encrypt data within it, then it may also be possible for hackers to obtain personal data about individual members of the public from that system. If personal information was to fall into the wrong hands it would be considered a breach of the DPA an leave the organisation open to prosecution. Historically, large fines have been issued by the Information Commissioners Office (ICO) such as those issued against 11 large charities in April 2017.


ICO warned users of XP about data protection laws in 2014

The ICO warned companies against using Windows XP in 2014 in a press release. Simon Rice of the ICO said organisation should migrate away from old systems as quickly as possible as “failure to do so will leave your organisation’s network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented”.

It seems that some NHS bosses failed to understand the seriousness of the threat.