Could the NHS 2017 cyber attack have been prevented? A Business Analysts View


Ultimately. All cyber attacks can be prevented.

But here’s the reality:

Most people AND organisations don’t keep up with security prevention requirements. Thus leaving themselves open to cyber attack(s).

So what are those prevention requirements?

After reading this, you will have a great insight to the non-functional requirements you can introduce to your work in order to:

  1. Prevent cyber attacks
  2. Overcome cyber attacks with minimum impact

Yes. They are known as non-functional requirements or NFRs.

And the great thing?

By getting these right,  you can help prevent much of the noise we’re now hearing about the world-wide cyber attacks.

It could even save your customers from being ransomed for hundreds of thousands of pounds.

This post uncovers the essential requirements that even the most experienced Business Analysts may overlook.

But first, let’s look at an overview of the NHS Cyber attack

The NHS Cyber Attack

If you live and work in England you are likely aware of the cyber attack imposed on your NHS on 12th May 2017.

An attack which impacted lots of NHS Hospitals in England.

And although the NHS was the most talked-about victim, The attack was in fact a global issue.

Here’s a map of the affected countries courtesy of BBC:


There were 200,000 known victims in what can only be called a global cyber-attack.

Could the NHS Cyber attack have been prevented

It’s been reported that the NHS were warned about the need to upgrade in order to cover a loop hole in the security of XP

the English Defence Secretary Michael Fallon said:

“£1.9bn had been set aside for UK cyber-protection – when cyber-attacks were identified as one of three main threats to the UK’s defences.

We’re spending around £50m on the NHS cyber systems to improve their security.  We have encouraged NHS trusts across the country to reduce their exposure to the weakest system, the Windows XP.” –

This shows the central government have been warning local NHS trusts to patch up their systems by upgrading from XP. The most vulnerable operating system.

Further, Health Secretary Jeremy Hunt on Saturday was asked why concerns repeatedly flagged up about the NHS’s “outdated, unsupported and vulnerable” machines had not been addressed.

In December it was reported that nearly all NHS trusts were using an obsolete version of Windows for which Microsoft had stopped providing security updates in April 2014. Data acquired by software firm Citrix under freedom of information laws suggested 90% of trusts were using Windows XP, then a 15-year-old system. –


How much NHS data was actually backed up before the cyber attack.

As of this writing, it’s  unclear exactly how much NHS data was backed up across the hospitals.

But there is claims that the data is/was backed up every day in the preparation for a cyber-attack similar to these.

But let’s have a look at the requirements businesses could and should be adhering to in order to prevent OR respond to cyber-attacks of this kind.

Amber Rudd, the home secretary, refused to confirm on whether patient data had been backed up, and said the NHS would upgrade its software in the wake of the attack. She said data “should” be backed up, but would not say whether it actually had been.

Bradford NHS have a full backup policy on their website. However even this doesn’t state exactly when and how often data will be backed up –

Which System Requirements could have prevented the NHS Cyber Attack?

The system requirements are categorised into:

  1. Software requirements
  2. Hardware requirements
  3. Backup requirements
  4. Recovery requirements

Software requirements to prevent cyber attack

In the current age of rapid development of Systems, the ability for hackers to identify loopholes and the need to overcome those loopholes, we need to be moving with the times.

Here’s the lifecycle of hacking

Release Software – Hackers identify loopholes to compromise software – Creators of software develop upgrades to close the loophole – Customer SHOULD upgrade

However most big businesses have upgrading their systems on the bottom of their agenda.

Usually due to cost.

If you sell your systems to corporate companies you may need to set minimum requirements for their operating systems on which your application will run. In turn forcing them to upgrade.


Hardware Requirements to prevent cyber attack

To define the hardware requirements, start with the following questions:

  • What hardware must be used for your application to run?
  • Which computers specifications must be used for your app to run?
  • Which connected hardware can be used with your app?

Often development companies need to stop support for hardware before their customers will upgrade. But this can be far too late where hackers are concerned.

So we need to stay up to date with where the loop holes are in hardware as well as software.


How much NHS Patient Data could have been backed up or recovered

Backup requirements for overcoming cyber attacks

There’s a number of questions we need to ask when eliciting requirements.

But it’s the answers to those questions that will minimise the disruption following a cyber attack.

Here’s the questions:

  • WHERE should the data be backed up
  • HOW OFTEN must the data be backed up – live/ once per hour / once per day
  • Which data should be backed up

Let’s look at the first question – WHERE?

If the data can be backed up in a different location to the PC on which your system resides, then do it.

However this could be technically difficult as it probably requires a consistent network connection.

Do the digging to find out what your setup is.

Now for the 2nd question – HOW OFTEN

The answer to this will depend on how much data is being change on a regular basis.

For example:

if thousands of records are updated every hour you will want to update more than once a week.

Disaster Recovery requirements for responding to cyber attacks

Having a clear procedure for recovering lost files will give you a great way to minimise disruption from a cuber attack.

I worked for a company who owned their own disaster recovery centre in a city 100 miles away from their offices.

They even had regular practice runs to ensure all data could be recovered in the instance of a failed server or collection of computers.

Here are the areas to address when thinking about disaster recovery:

  • Time to recover system files
  • How much data loss is acceptable
  • How to access the system in the case of disaster recovery
  • Location of disaster recovery
  • Failover rules


In conclusion to preventing cyber attacks

Whether your the user of a system providing requirements. Or a Business Analyst eliciting  requirements, you MUST bear these types of requirements in mind so you can protect yourselves and/or you company for the future possibilities.


Leave a Reply

Your email address will not be published. Required fields are marked *