NHS believes it can solve its cybersecurity woes by migrating the health service onto Windows 10
The Department of Health has agreed a deal with Microsoft to roll Windows 10 out across the NHS in a bid to bolster hospitals’ cybersecurity defences, which have been savaged by experts in recent months.
The long-awaited upgrade from Windows XP, which Microsoft stopped supporting four years ago, comes almost a year after the WannaCry ransomware attack spread havoc across IT systems in the NHS.
As part of the deal, all NHS devices will be upgraded to Windows 10, with Microsoft pushing the latest security updates to NHS machines as soon as they become available.
READ NEXT: Should I upgrade to Windows 10?
While Windows 10 boasts apps like SmartScreen and antivirus tools like Windows Defender to detect viruses, phishing and malware, as well as isolate infected machines and kill malicious processes before they are allowed to spread, the NHS has long been running XP, despite it reaching end-of-life in April 2014.
“We know cyber attacks are a growing threat, so it is vital our health and care organisations have secure systems which patients trust,” said Jeremy Hunt, the government’s health and social care secretary.
“We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS as far as reasonably possible against this threat. This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.”
The announcement comes a fortnight after Parliament’s Public Accounts Committee (PAC) published a damning report revealing that not a single NHS trust passed its cyber security assessment, revealing that some trusts had failed “soley because they had not patched their systems – the main reason the NHS had been vulnerable to WannaCry”.
WannaCry affected 300,000 computers across 150 countries in May last year. The National Audit Office (NAO) found that at least 34% of NHS trusts in the UK were disrupted by the attack, leading to the cancellation of 6,900 appointments.
Although the NHS was not a target, it became swept up in the attack in light of its cyber security vulnerabilities, with critics pointing out that Windows XP is a major attack vector for hackers, given the lack of patches for security holes. However, an analysis of affected computers at the time, conducted by Kaspersky Lab, found that Windows 7 was responsible for 97% of infections, with Windows XP contributing a negligible number. Windows 10 was unaffected by WannaCry.
Shortly afterwards the Department of Health allocated £21 million to bolster the NHS’ defences, as the government accepted the recommendations set out by the National Data Guardian and Care Quality Commission reviews into security standards carried out before WannaCry – but the trusts still failed the recent PAC assessment.
Deputy chief executive of NHS Digital, Rob Shaw, said: “The new Windows operating system has a range of advancements in security and identity protection that will help us to support trusts to keep their data safe from attacks and which will cover both desktop and mobile devices.
“The additional funding will mean we can add an extra layer of protection, whilst boosting our existing services, with real-time monitoring of NHS networks and the ability to see potential threats right down to individual NHS organisations.”
READ NEXT: Windows 10 review
When XP fell out of support four years ago, the government signed a £5 million custom support deal for computers still running the aged OS in the NHS, police and other public bodies, an agreement that ended in May 2015 despite many machines still stuck on XP.
When our sister site IT Pro spoke to the Metropolitan Police’s CIO, Angus McCallum, earlier this year, he claimed the last machines running XP would be upgraded by May.
The Department of Health refused to disclose the cost of the Microsoft deal, saying this was commercially sensitivity information, but clarified it is not part of a wider £150 million investment over the next three years, announced this weekend, which includes money to set up a new NHS Digital Security Operations Centre.
Alphr has contacted NHS Digital about the number of devices the Windows 10 upgrade will apply to, and the timescale for the project.
“The importance of helping to protect the NHS from the growing threat of cyber-attacks cannot be overstated,” said Cindy Rose, chief executive of Microsoft UK. “The introduction of a centralised Windows 10 agreement will ensure a consistent approach to security that also enables the NHS to rapidly modernise its IT infrastructure.”