Why WannaCry ransomware infection is a data breach

A summary in case the recent WannaCry ransomware pandemic has somehow passed you by:

NHS use of Windows XP

Support for Windows XP ended in 2014, whereafter the government paid Microsoft £5.5 million to extend support for another 12 months and urged NHS organisations to “put in place robust plans to migrate away from Windows XP” by 14 April 2015. The custom support deal ended in May 2015, leaving any NHS organisation using the defunct operating system vulnerable to attack.

Unsurprisingly, a number of NHS machines still use Windows XP, but the exact number is disputed: according to the Defence Secretary, Sir Michael Fallon, 5% of NHS computers still use the out-of-date operating system. Last September, however, a Freedom of Information request from Motherboard found that 42 NHS trusts used XP, suggesting the percentage is much higher.

NHS, WannaCry and data protection

In July last year, the Quality Care Commission (QCC) – the independent regulator of health and social care in England – issued a report called Safe data, safe care: Report into how data is safely and securely managed in the NHS.

Its opening remarks were: “Good information underpins good care. Patient safety can only be assured when information is accessible, its integrity is protected against loss or damage, and confidentiality is maintained.”

Accessibility is key here. The fact that thousands of patients were unable to be treated by the NHS is, without question, a data breach – personal data was rendered unavailable for the purposes for which it was collected.

While the Data Protection Act 1998 might not mandate action, its replacement, the GDPR (General Data Protection Regulation), certainly will.

NHS funding is, of course, a political issue, and for each person who understands the value of technology to the service there is another who wants to know why trusts should spend money on computers instead of nurses. Perhaps this incident will put that into perspective.

Irrespective of the many reasons for the NHS’s failure to move on from an operating system that is no longer vendor-supported, under the GDPR this incident would trigger fines of up to 4% of revenue for every one of the breached institutions.

Furthermore, the Directive on Security of Network and Information Systems (NIS Directive), which requires critical national infrastructure organisations such as the NHS to have cyber security and business continuity programmes in place, and which also carries monetary penalties on the same scale as the GDPR, would also trigger significant fines for breached organisations.

It is a certainty that where there has been a breach in the past there will be one in the future, so it is likely to be far less expensive for NHS organisations to comply with the law and upgrade their systems and data security regimes than risk further fines.

How to comply with the GDPR

With just over 12 months to go until organisations need to comply with the GDPR, now is the time to get prepared.

Take the first step towards compliance by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.

This must-have guide details:

  • The GDPR in terms you can understand
  • The obligations of data controllers and processors
  • What to do with international data transfers
  • Data subjects’ rights and consent
  • And much more. 

Buy this book before the end of May and save 10% >>