The government’s Department of Health and Social Care has agreed a deal with Microsoft that will enable all NHS organisation to use Windows 10, which will strengthen their defences against future cyber attacks.
This deal is representative of a period where cyber attacks are running riot, and health services are particularly vulnerable. Last year, NHS hospitals and businesses across the world were plunged into chaos following the WannaCry and NotPetya ransomware attacks.
Cindy Rose, CEO of Microsoft UK said “The importance of helping to protect the NHS from the growing threat of cyber attacks cannot be overstated. The introduction of a centralised Windows 10 agreement will ensure a consistent approach to security that also enables the NHS to rapidly modernise its IT infrastructure.”
>See also: NHS looks to up its cyber security game
“This agreement ensures NHS staff have the best tools available to help with the incredible work they do, ultimately enabling them to deliver even greater patient care.”
The partnership between Microsoft and the UK’s national health service will help ensure this doesn’t happen again, as unsupported computer systems will now be supported.
Sarah Wilkinson, chief executive at NHS Digital said that “We welcome the Secretary of State’s commitment to prioritise cyber security. The new Windows Operating System has a range of advanced security and identity protection features that will help us to keep NHS systems and data safe from attack. This is one of a suite of measures we are deploying to protect the service from cyber attack.”
Responding to the threat
The deal is the latest in a series of measures to strengthen cyber security in the NHS since the WannaCry attack in May 2017, and will enable NHS Trusts to benefit from enhanced security intelligence. At a local level, individual trusts will have the ability to detect threats, isolate infected machines and kill malicious processes before they are able to spread.
Since 2017 the government has invested £60 million to address key cyber security weaknesses – with a further £150 million pledged over the next three years to improve resilience, including the setting up of a new NHS Digital Security Operations Centre to boost our ability to prevent, detect and respond to incidents.
>See also: NHS prioritising cyber security to improve patient care and trust
This will allow NHS Digital to improve near real-time capability to respond to cyber-attacks, reducing the impact of an attack on NHS infrastructure.
Health Secretary Jeremy Hunt said that “cyber attacks are a growing threat, so it is vital our health and care organisations have secure systems which patients trust.”
“We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS against this threat.”
“This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.”
Tackling the cyber security problem of the NHS
On top of this partnership with Microsoft, £21 million will be committed to upgrading firewalls and network infrastructure at major trauma centre hospitals and ambulance trusts to improve security at key emergency sites – protecting technology such as MRI scanners and blood test analysis.
A further £39 million has already been spent this year by NHS trusts to help them address infrastructure weaknesses which prevented them from fully implementing solutions to address all historic cyber alerts.
The department has also launched a Data Security and Protection Toolkit, which requires health and care organisations to meet 10 key standards, including appointing a senior executive to oversee data and cyber security.
>See also: The global ransomware attack a cyber wake-up call
Best practice initiatives like this, along with security investment, is essential in helping mitigate the cyber threat. Of course, not all cyber attacks will be prevented. However, none should have ever been on the scale of attacks like WannaCry.
Health Minister Lord O’Shaughnessy said “Patient data must be properly protected and this significant investment will help to keep our systems resilient and up-to-date.”
“This will give patients greater confidence in how their information is managed by the NHS.”
Industry reaction
The new licensing agreement that the NHS has signed with Microsoft has been warmly welcomed, and is “fantastic news,” according to Simon Townsend, CTO – EMEA of IT and cyber security company, Ivanti.
Townsend points to the fact that the NHS first signed a deal with Microsoft to provide all of its desktop software – from operating systems to Office programmes – in 2004.
“For six years it had the latest of everything and was kept secure and patched up until austerity hit in 2010 and the deal ended. This left the NHS in a bad position because it had previously been using £270 million worth of Microsoft software for less than £65 million a year. When the agreement was thrust out from under it, the NHS was left unable to cope, and individual trusts were effectively left to fend for themselves.”
>See also: Hacking the NHS: leaders fear the widespread loss of patient data
“Eight years later, the state of the NHS’s IT systems is weak, which was exploited by attacks like WannaCry. “It has been relying on legacy systems, leaving it completely under equipped for cyber attacks, as well as other contemporary issues such as GDPR compliance,’ explained Townsend. “How could it be expected to handle 2018 problems with 2002 technology? This is why WannaCry was so damaging. Criminals exploited that some trusts were using unpatched Windows 7 systems and some were using completely unsupported Windows XP systems.”
“All of this shows why it is such a massive turning point that a new licensing deal has been signed. Individual NHS trusts have not had the time or budget to upgrade their systems and have been crying out for a solution like this that comes from the top. A lot of money and time has been squandered because of the prior reliance on legacy technology, so this new contract should go a long way in helping the NHS get back up to where it needs to be.”