The Department of Health and Social Care has announced that it will transition all National Health Service (NHS) computer systems to Microsoft Windows 10 as part of plans to strengthen cyber security.
Officials cited the operating system’s more advanced security features as the primary reason for upgrading current systems, such as the SmartScreen technology, the Microsoft Edge browser and the Windows Defender antivirus software.
The announcement of the move comes less than two weeks after the government spending watchdog ordered the Department of Health and Social Care to work out the cost of the May 2017 WannaCry attack on the NHS before the end of June 2018, so trusts know where to target their cyber security spending.
The watchdog also ordered the department to set out how it plans to shore up the NHS’s cyber defences in anticipation of another attack against its systems.
Announcing the Microsoft deal at the weekend, the government said the move will ensure all health and care organisations are using the latest Windows 10 software with up-to-date security settings to help prevent cyber attacks.
According to Microsoft, the centralised Windows 10 agreement will ensure a consistent approach to security that will also enable the NHS to modernise its IT infrastructure.
The latest deal with Microsoft comes eight months after NHS digital signed a new support agreement with Microsoft three months after NHS was hit by global ransomware attack that affected Windows computers, exploiting a vulnerability that had been patched by Microsoft two months before.
Although computers running Windows 7 were most heavily affected, WannaCry once again highlighted that the NHS continues to rely on Windows XP, despite the fact that the government decided to end extended support for this obsolete operating system in April 2015.
The WannaCry attack affected 80 hospital trusts and more than 600 primary care organisations across England, contributing to the cancellation of around 20,000 hospital appointments and operations as staff were unable to access key healthcare IT systems.
Additional investments and powers
The government claims that since 2017 it has invested £60m to address cyber security weaknesses, and that a further £150m will be spent over the next 3 years to improve the NHS’s resilience against attacks.
This spending will include setting up a new digital security operations centre to prevent, detect and respond to incidents, which will enable NHS Digital to respond to cyber attacks faster, and enable local trusts to detect threats, isolate infected machines and kill the threat before it spreads.
In announcing the additional cyber security funding, the government said an initial £21m would be targeted at increasing the cyber resilience of major trauma sites as an immediate priority, and improve NHS Digital’s national monitoring and response capabilities.
The government said other measures to improve cyber security include £21m to upgrade firewalls and network infrastructure at major trauma centre hospitals and ambulance trusts, and £39m spent by NHS trusts to address infrastructure weaknesses.
Measures also include new powers given to the Care Quality Commission to inspect NHS trusts on their cyber and data security capabilities, a data security and protection toolkit which requires health and care organisations to meet 10 security standards, and a text messaging alert system to ensure trusts have access to accurate information even when internet and email services are down.
All of this funding was part of additional funding announced in July 2017 in a package of government measures to improve NHS cyber security in response to a review on data security and data sharing in the health and social care system by national data guardian Fiona Caldicott, published in July 2016.
Health and social care secretary Jeremy Hunt said: “We know cyber attacks are a growing threat, so it is vital our health and care organisations have secure systems which patients trust.
“We have been building the capability of NHS systems over a number of years, but there is always more to do to futureproof our NHS against this threat.
“This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect,” he said.
Many factors to good security
Mark James, security specialist at Eset, said the benefits of Windows 10 over 7 and XP are huge, especially the browser. “But we must remember it’s not just the desktop platform, there are many devices in the NHS ecosystem that will require upgrading,” he said.
The positive side, said James, is the ability to keep the operating system regularly updated moving forward. “Windows 10 is the easiest way to do this to date and has many features that will help protect this delicate environment,” he said, adding that any move towards a greater level of security has to be welcomed.
However, James warned that it will not be easy. “It will come with its fair share of snags and issues, but as with most improvements it will be better going forward,” he said.
“IT security is made up of many factors, a multi-layered approach is the only way forward and it appears a good start in getting it right. Education, knowledge, hardware and software all make up the many faceted edges needed to protect NHS data safe from the never ending onslaught from bad actors,” he added.
Andy Norton, director of threat intelligence at Lastline, said the NHS is signalling that an inherently more secure operating system is less risk than a less secure operating system running next-generation endpoint security.
“Of course it does not address the problem of legacy apps that won’t run on windows 10, nor does it solve the user case of WannaCry,” he said, noting that without the appropriate patching, Windows 10 was still vulnerable, which means that switching to Window 10 will not eliminate all vulnerabilities.
Improving trust and security
Research by Palo Alto Networks, conducted two months after the WannaCry attacks in 2017, which looked into securing NHS data in the digital age polled 100 NHS IT decision-makers and revealed that 65% believed that improved data security would improve the level of trust from patients.
Nearly half (49%) said they believed improved data security would help streamline processes, 46% said they believed it would increase the use of online triage, and 45% said it would lead to long-term cost savings.
The survey also revealed that in the wake of WannaCry, 41% of respondents believed that a cyber attack is one of the biggest threats to the NHS, 69% thought a ransomware attack would be the biggest IT threat, while 42% said their department could barely function, if at all, because of WannaCry.
However, further underlining the need to secure the NHS, 90% of respondents said they expect to see benefits as a result of digitalisation in the NHS, with benefits most likely to be integrated health and social care (59%), long-term cost savings (51%) and greater protection of patient data (50%).
The majority (85%) of surveyed IT decision-makers said their organisation’s systems require a redesign so that they can meet demand for their services.