In November last year, six months after the WannaCry ransomware attack took place, the NHS entered into a landmark Custom Support Agreement with Microsoft. In the agreement, Microsoft promised not only to provide a dedicated team to ensure all legacy systems used by NHS trusts and hospitals continued to receive critical security updates but also pledged to support the migration of all legacy systems to Windows 10 standard in the long term.
"It was impossible to protect devices running on the out-of-date operating systems that lacked the software to protect them against the threats. Unfortunately, simply upgrading these devices quickly was not always possible – many of them run sophisticated medical equipment or are provided within specialist supplier applications," the NHS said.
On Saturday, the Department of Health and Social Care announced that it had finally agreed to a multi-million deal with Microsoft that would ensure all health and care organisations will be able to use the most up-to-date software with the latest security settings.
Thanks to the agreement, all legacy systems used by NHS organisations will be gradually upgraded to Windows 10 standard and the enhanced security credentials in the latest operating system will be leveraged to reduce the likelihood and impact of security breaches or malware infection.
For example, data gathered by the Windows Defender Advanced Threat Protection tool will allow a central NHS Security Operations Centre to create a centralised, managed, and coordinated framework to detect malicious cyber activity and to ensure enhanced visibility around how threats try to move across the organisation.
The Department added that to ensure the timely upgrade of legacy systems belonging to NHS organisations and to set up a new NHS Digital Security Operations Centre, the government has promised to spend £150 million in the next three years.
"We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS against this threat. This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect," said health secretary Jeremy Hunt.
"The new Windows Operating System has a range of advanced security and identity protection features that will help us to keep NHS systems and data safe from attack. This is one of a suite of measures we are deploying to protect the service from cyber-attack," said Sarah Wilkinson, chief executive at NHS Digital.
While the government has set aside £150 million to upgrade all legacy systems and to set up a new NHS Digital Security Operations Centre, it is also spending £21 million on upgrading firewalls and network infrastructure at major trauma centre hospitals and ambulance trusts. This step will ensure enhanced security around sensitive technology such as MRI scanners and blood test analysis tools.
Other new government initiatives include the launch of a Data Security and Protection Toolkit which requires health and care organisations to meet 10 key standards, the implementation of a text messaging alert system to ensure trusts have access to accurate information at all times, and empowering the Care Quality Commission to inspect NHS trusts on their cyber and data security capabilities in conjunction with NHS Digital.
Commenting on the Department's latest announcement, Andy Norton, director of threat intelligence at Lastline, told SC Magazine UK that the move will not result in any significant change other than Microsoft earning £150 million.
"The NHS is signalling that an inherently more secure operating system is less risk than a less secure O/S, running next generation endpoint security. Of course it does not address the problem of legacy apps that won't run on windows 10. Nor does it solve the user case of WannaCry; Windows 10 was still vulnerable," he said.
Mark James, security specialist at ESET, also said that the £150 million fund will only benefit desktop platforms used by NHS organisations but there are many devices within the NHS ecosystem that will require upgrading to the new standard.
That being said, the move has to be embraced with open arms as the benefits of Windows 10 over older versions of the operating system are huge. "However, it won't be easy, it will come with its fair share of snags and issues but as with most improvements it will be better going forward.
"IT security is made up of many factors, a multi-layered approach is the only way forward and it appears a good start in getting it right. Education, knowledge, hardware and software all make up the many-faceted edges needed to protect NHS data safe from the never ending onslaught from bad actors," he added.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout