Is what we might learn about the terrorists worth risking people's lives for?
Obviously GCHQ didn't know about it - otherwise they would have told the NHS
It's not like the British government would risk the lives of 1000s of ordinary people to keep secret a tiny exploit
We don't live in a police state. If you patch the NHS computers, civilian computer types are going to know, including civilian computer types without security clearances.
So the decision would have been something like, "Is it what we might learn about 'the terrorists', Russians and Chinese worth risking the lives of UK citizens needing health care?"
Similar conversation in the USA regarding US civilian lives, except that protecting US health care systems is even harder since few of them are government owned and operated.
Biting the hand that feeds IT
