IIA training and events

Prevention is better than blame

It is truly deplorable that the WannaCry virus last week was able to bring 45 NHS organisations to a standstill. 

The attack also hit organisations across more than 100 countries, including Telefonica in Spain, FedEx in the US, the German railways and the Russian interior ministry.

As far as the health service is concerned, many have pointed the finger of blame at NHS bosses, who allowed their organisations to run the long-outdated operating system Windows XP, or otherwise failed to ensure their operating systems were fully updated – including failing to apply the free software "patch" released by Microsoft in March to prevent exactly this kind of attack.

Some have pointed the finger at the government, which is accused of ignoring warnings from the National Cyber Security Centre and the National Crime Agency about the vulnerability of outdated NHS IT and who, in 2015, cancelled a £5.5m deal with Microsoft to provide ongoing support for the obsolete operating system.

Some have pointed the finger at Microsoft itself, because its operating systems have been criticised for their vulnerabilities. Indeed, some have noted that the banking sector, which doesn't rely on Microsoft products, was unaffected.

Microsoft no longer supports Windows XP and some say that this is unacceptable given that so many key organisations continue to rely on the software.

All of this raises some important questions for the NHS and internal audit: was the internal audit function adequately equipped and resourced to offer an effective third line of defence? Had the internal auditors highlighted the potential risk and, if so, were they listened to? If they were not, what does the NHS need to improve to ensure that strategic risks are appropriately acknowledged? 

These are similar questions to those asked of the financial services sector after the financial crisis. Perhaps the public sector or the health service should have a sector specific code, such as the Financial Services Code, to ensure that internal auditors have the expertise, skills and clout to undertake their role as the third line of defence effectively?

This article was first published in May 2017.