The Department of Health has made a deal with Microsoft towards health and care bodies using the latest Windows 10 software with up-to-date security settings to combat cyber attacks. It was health trusts running unsupported and old Windows software that led to some hospitals losing their IT during the Wannacry malware outbreak in May 2017; or fears that they would be vulnerable to such attack prompting some to shut down their systems, which equally disrupted patient care.
Since 2017, the Westminster government says, it has spent £60m to address cyber security weaknesses. A further £150m over the next three years will improve the NHS’s resilience against attacks, according to the Department of Health. This will include setting up a new digital security operations centre to respond to incidents.
The DoH announced £21m to upgrade firewalls and network infrastructure at major trauma centre hospitals and ambulance trusts; and new powers given to the Care Quality Commission, the regulator of hospitals, to inspect NHS trusts on their cyber and data security. A data security and protection toolkit will require health and care organisations to meet ten security standards; and a text messaging alert system will offer trusts access to accurate information – even when internet and email services are down.
Health and Social Care Secretary Jeremy Hunt said: “We know cyber attacks are a growing threat, so it is vital our health and care organisations have secure systems which patients trust. We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS against this threat. This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.”
Background
According to an October 2017 report by the National Audit Office on the Wannacry impact on the National Health Service, NHS Digital told the NAO that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection. And a report last month by the Public Accounts Committee of MPs found that WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS. The PAC complained that the Department of Health still does not know what financial impact the WannaCry cyber-attack had on the NHS, which is hindering its ability to target its investment in cyber security.
Comment
Simon Townsend, CTO – EMEA at Ivanti, and asset and IT management product company, welcomed the new licensing agreement. He recalled that the NHS first signed a deal with Microsoft to provide all of its desktop software – from operating systems to Office programmes – in 2004. “For six years it had the latest of everything and was kept secure and patched up until austerity hit in 2010 and the deal ended. This left the NHS in a bad position because it had previously been using £270million worth of Microsoft software for less than £65million a year. When the agreement was thrust out from under it, the NHS was left unable to cope, and individual trusts were effectively left to fend for themselves.
“So, eight years later, the state of the NHS’s IT systems is poor. It has been relying on legacy systems, leaving it completely underequipped for cyberattacks like WannaCry, as well as other contemporary issues such as GDPR compliance. How could it be expected to handle 2018 problems with 2002 technology? This is why WannaCry was so damaging. Criminals exploited that some trusts were using unpatched Windows 7 systems and some were using completely unsupported Windows XP systems.
“After the attack, the NHS did sign a new agreement, specifically for cybersecurity, with Microsoft. The custom support agreement and Enterprise Threat Detection Service (ETDS) provided it with patches and updates for all existing Windows devices operating as XP, Windows Server 2003 and SQL 2005. However, in January of this year, it was exposed that only 2% of the NHS had actually deployed the ETDS. The latest update was that all trusts tested for vulnerabilities by the civil service didn’t meet standard requirements, meaning that they were most definitely not ready to face another large-scale attack.
“All of this shows why it is such a massive turning point that a new licensing deal has been signed. Individual NHS trusts have not had the time or budget to upgrade their systems and have been crying out for a solution like this that comes from the top. A lot of money and time has been squandered because of the prior reliance on legacy technology, so this new contract should go a long way in helping the NHS get back up to where it needs to be.”
