Are you gob-smacked by the fact that the NHS were relying on Windows XP, an operating system first released in 2001, which Microsoft stopped supporting in April 2014?
Did you know that the Government paid Microsoft £5.5million to support XP for a further year but decided not to renew that contact after May 2015?
Did the Government, in particular Secretary of State for Health Jeremy Hunt, make a funding decision that exposed NHS systems?
Why did NHS bodies not manage to migrate from Windows XP in good time?
Using the Watergate questions: “What did key decision takers in the NHS know and when did they know it?", I think the Information Commissioner can provide some independent insight.
Was there a breach of the DPA?
When the ransomware attack succeeded in blocking the use of health personal data is there a breach of the Data Protection Act?
As the malware encrypted files of personal data (and perhaps deleted back up files, as is often the case with ransomware), then there would have been processing operations performed on personal data.
The first paragraph of the interpretation of Seventh Principle states that the controller:
Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to.
(a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b)the nature of the data to be protected.
It is clear, therefore, that there are several breaches of the Seventh Principle (e.g. failure to take “appropriate” technical measures). For instance, that reliance on unsupported Windows XP is hardly “state of the art” as the malware exploited an antiquated operating system to encrypt, without authority, files containing personal data. The harm was experienced by data subjects through cancelled procedures or out-patient clinic appointments and the failure to patch or migrate from XP was foreseeable.
Such data subjects can ask for an assessment and the ICO can (and in my view, should) determine whether enforcement action is appropriate.
Is there a reportable loss of personal data?
The technical problem concerning reportability is, that at first glance, there is no processing of personal data that results in a “normal” data loss, say where a database is deleted or accidently attached to an email.
However, the word “security” in the context of IT equipment and data is often defined in terms of “confidentiality, availability and integrity”. In the ransomware infections, the personal data were not-available at the correct time, for example, to treat a patient. Implicitly therefore, the personal data were effectively “lost” at the time they were needed by the data subject and by the data controller.
It is this equation of non-availability of personal data at the material time that gives rise to a “loss” of personal data. It follows that such data losses are reportable by all NHS Trusts who experienced the ransomware outage.
Another way of looking at this situation are circumstances that arise when personal data are “lost” and “found” (which the ICO has often enforced previously). In infected systems, the personal data are “lost”; however, once the malware is removed or the ransom paid, the personal data are recovered (i.e. found). If the ransomware takes its course, then the personal data are definitely lost.
That is why I think there is a data loss, and this data loss reporting will form the basis for an independent report into the issue.
What about fines?
In my view, there has been a breach of the Seventh Principle, the issue then becomes whether the breach has caused a “serious contravention” of this Principle and was “the contravention of a kind likely to cause substantial damage or substantial distress”. I think that given some patient interviews (e.g. cancelled heart operations) on the TV, the answer is “yes”.
Should the data controller “knew or ought to have known” that the contravention was likely to cause substantial damage or substantial distress. Clearly again, the answer is “yes” especially as security risk assessments undertaken by some NHS bodies who have been reported in the press that they identified the lack of patching for Windows XP as an urgent security issue that needed addressing.
So, NHS bodies could be at risk of receiving a Monetary Penalty Notice. However, the Secretary of State, who is also a serious candidate for the accolade of “villain of the piece”, is not a data controller. It is the NHS bodies he funds who are controllers.
What about compensation?
I am sure that many patients could have a claim for compensation, but what is the level of compensation for an out-patients’ appointment delayed for a fortnight or so? Not much I suspect in many cases (e.g. half day wasted, travel costs etc). Given the effort involved in getting a small claims case together, I am pretty sure that there will not be many cases arising from this incident.
Clearly, however, some delays could result in considerable damage and distress depending what was the nature of the delay but I suspect that patients at medical risk and whose procedure was delayed would be treated in order of medical risk (i.e. serious cases first). Given that most NHS Trusts were back up by 6pm Saturday, there again, I expect the degree of damage is likely to be limited.
I conclude that no-win, no fee, ambulance chasers will have a hard time finding suitable cases. There might be the odd case; not many.
Concluding comments
Finally, all the organisations involved in the ransomware recovery operation are public bodies that report to two Secretary of States seeking re-election. Given the non-stop mantra of “strong and stable” which characterises this General Election, Ministers are not going to enter a plea of “mea culpa” and admit that their decisions have thrown the NHS into chaos.
However, the overriding conclusion is that NHS bodies are in the firing line and should be reporting the data loss. This contrasts with the Secretary of State, who in data protection terms, is not in the frame for anything.
Much like Macavity the Mystery Cat, he is not there!
Other Publicity
Forthcoming Amberhawk’s courses in early summer
- DP Practitioner Course: starts 6 June (Leeds)and 11 July (London)
- DP Foundation Course: starts 4 July (London)
- Next GDPR Workshop: 20 July (London)
References:
XP withdrawn in May 2015: https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends
Excellent blog on the issues from two Professors of IT security:
- Professor Ross Anderson (Cambridge Uni); https://www.lightbluetouchpaper.org/2017/05/13/bad-malware-worse-reporting/ and
- Professor George Danezis (UCL): https://conspicuouschatter.wordpress.com/2017/05/13/the-politics-of-the-wannacrypt-ransomware-outbreak/
Most of the time I see references to 'data loss', I conclude that the term has been used inappropriately. So I applaud the author for looking beyond this terminology and considering the impact on patients. As I understand it in most cases the effect of this incident was to prevent clinical access to patient data. This sort of event will happen again so clinicians should not put pens and paper away just yet.
Posted by: James | 19/05/2017 at 02:33 PM