Outdated computer system "a ticking time bomb" for NHS
13 Scottish health boards and 47 trusts in England were compromised when the virus targeted computers with old security.
The health service was one of thousands of organisations around the world paralysed by a global cyber attack on Friday.
Security experts have warned the NHS that running outdated computer operating systems is a “ticking time bomb”, leaving it vulnerable to further attacks.
Forty-seven trusts in England and 13 Scottish health boards were compromised when the virus targeted computers with old security.
The IT meltdown forced the cancellation of thousands of appointments and procedures across the country, with ambulances at some hospitals having to be diverted.
David Emm, principal security researcher at Russian cybersecurity firm Kaspersky Lab, said there were huge dangers with running the outdated XP operating system, for which Microsoft no longer runs security updates.
He said: “It's like not knowing that your window frame is rotten, or knowing about it but you haven't got round to fixing it yet, and in the meantime somebody comes in through the window.”
Major organisations have to manage a large number of computing operations and need to be able to manage updates to the operating systems they rely on, Mr Emm said.
“If you miss some of those, then obviously you have an in-house point of weakness that could be used by an external attacker.
“The fact that we are seeing reports of a percentage of the NHS running Windows XP is quite worrying, because that operating system came out in 2001.
“That's a long time just in human years, but in technological terms that's really, really old.
“It's easy to say Microsoft should be patching it even if it's old, but they no longer support that.
“It's a bit like having your favourite pair of trousers - you might want to patch them and fix them up, but there comes a point when you've got to say, 'They're so scruffy and so ripped that I've just got to go to the shop and get a new pair'. It's no longer worthwhile to patch them, it can't realistically be done.
“Even though Microsoft has taken the extraordinary decision of issuing a patch for this not-supported operating system, the problem is any other vulnerability that's found on XP isn't going to be patched because Microsoft no longer does routine patches or security updates for that operating system.”
Mr Emm said organisations were often able to uncover and recognise vulnerabilities in code, but changing some of that code can have a knock-on impact elsewhere in the system, with unintended consequences - a butterfly effect.
Updating operating systems in big organisations is a massive undertaking, Mr Emm said, and compared them to “supertankers”.
He said: “Part of this is logistics, part of it is money. If you want to move to a different operating system that is supported, clearly that involves a cost both in terms of purchasing the operating system but also in terms of having the staff free to be able to do that deployment.
“If it's a system that's in use, then replacing that operating system is going to involve at some point saying to somebody, 'You can't use that for the next hour because we need to roll out an update to it'.
“Any organisation could be described as a supertanker - things move along, but it's not that easy to navigate. It takes time and planning, and if you miss something in your calculations there's a potential that something could blow up like this.
“If something gets disturbed and technicians can't do their jobs properly, then you end up having to switch to paper records anyway, so there's a certain disincentive to do it.
“But what is clear is that this is not across the board in the NHS - it seems pretty obvious that some parts of the NHS, some trusts, have managed this process better than others.
“Otherwise we'd be looking at a problem across the board.”