Amber Rudd says patient records may have been lost in NHS cyber attack

Amber Rudd has said NHS patients' files could have been lost after an unprecedented cyber attack saw medical staff locked out of test results, X-rays and patient records.

The Home Secretary said she “hoped” data would be retrievable, but that “holes” in the back-up systems are likely to emerge in the coming days.

The attack on Friday afternoon saw at least 30 health service organisations across England and Scotland infiltrated by malicious software based on hacking tools developed by US cyber-warfare agents, while many others shut down servers as a precautionary measure.

When asked on BBC Breakfast whether patients' files were backed up, Ms Rudd said: “I hope the answer is yes, that is the instructions that everybody has received in the past.

“That is good cyber defence, but I expect, and we will find out over the next few days if there are any holes in that.”

She added: “There may be lessons to learn from this but the most important thing now is to disrupt the attack, let's come back to afterwards whether there are lessons to be learned.”

The attack, which has left thousands of patients across England and Scotland stuck in limbo after A&E wards, GP surgeries and other vital services across the NHS were infected, has led to accusations that preventative measures could have been taken “months ago”.

A former NHS trust chairman, Roy Lilley, told Sky News: “Over time, Microsoft has held us to ransom, and of course the NHS hasn't got the money to pay for it [...] There has not been enough investment over a long enough period in IT.

“The question for the politicians now is what are you going to do about IT in not only the NHS, but the public sector more widely.”

Ms Rudd said it was “disappointing” that NHS services had been using Windows XP, a 16-year-old operating system that Microsoft officially ended support for in 2014.

Speaking to Sky News, she said: “It is disappointing that they have been running Windows XP - I know that the Secretary of State for Health has instructed them not to and most have moved off it.

”Where the patient data has been properly backed up, which has been in most cases, work can continue as normal because the patient data can be downloaded and people can continue with their work."

The Home Secretary said the software was “not a good platform” for storing data securely due to a lack of defence against viruses, and that NHS trusts would now be advised to modernise their platforms.

She told the BBC’s Today programme: ”Windows XP is not a good platform for keeping your data as secure as the modern ones, because you can't download the effective patches and anti-virus software for defending against viruses.

“CQC (Care Quality Commission) does do cyber checks on the NHS trusts, on hospitals when they do their visits, and they will be advising NHS trusts to move to modernise their platforms and I think that after this experience, I would expect them all to move forward with modernising.”

Ms Rudd said that work was ongoing to identify the attackers, adding the assault “feels random in terms of where it's gone to and where it's been opened”.

The attack plunged the NHS into chaos on Friday afternoon as patients across the UK had their appointments and operations cancelled and medical staff were locked out of test results, X-rays and patient records.

Doctors warned that the infiltration – said to be the largest cyber-attack in NHS history – could cost lives.

At least 30 health service organisations are said to have been infiltrated by the malicious software, while many others shut down servers as a precautionary measure, meaning all systems were offline and hospitals were unable to accept incoming calls.

NHS trusts have today requested new patients do not come to A&E, but instead to ring 111, or 999 in the case of an emergency.

Non-emergency patients have been advised to use health facilities frugally, while those who are critically ill have had to be diverted to unaffected hospitals as computer systems failed in A&E units.