NHS aims to solve cyber security issues with Windows 10 migration by 2020 deadline

A stethoscope on top of a MacBook keyboard
(Image credit: Shutterstock)

The Department of Health has agreed a deal with Microsoft to roll Windows 10 out across the NHS by 2020 in a bid to bolster hospitals' cybersecurity defences, which have been savaged by experts in recent months.

The long-awaited upgrade from Windows XP, which Microsoft stopped supporting four years ago, comes almost a year after the WannaCry ransomware attack spread havoc across IT systems in the NHS.

As part of the deal, NHS devices will be upgraded to Windows 10, with Microsoft pushing the latest security updates to NHS machines as soon as they become available.

Trusts will be allowed to upgrade their devices to Windows 10 free of cost if they join a special service being set up to manage the rollout - but they must do so by January 14 2020.

This coincides with the date Microsoft will stop supporting Windows 7 with security updates.

"Central funding for Windows operating systems licenses will not be available to organisations who are not part of the service," an NHS Digital spokesperson said.

They added: "NHS organisations have already successfully migrated more than 100,000 NHS devices to the Windows 10 operating system, and guidance and support to help trusts with their migration will be provided as part of the service."

While Windows 10 boasts apps like SmartScreen and antivirus tools like Windows Defender to detect viruses, phishing and malware, as well as isolate infected machines and kill malicious processes before they are allowed to spread, the NHS has long been running XP, despite it reaching end-of-life in April 2014.

Trusts that upgrade will also get access to Windows Defender Advanced Threat Protection (WDATP), a security service that will allow NHS organisations to detect, investigate, and respond to advanced threats on their networks.

"We know cyber attacks are a growing threat, so it is vital our health and care organisations have secure systems which patients trust," said Jeremy Hunt, the government's health and social care secretary.

"We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS as far as reasonably possible against this threat. This new technology will ensure the NHS can use the latest and most resilient software available - something the public rightly expect."

The announcement comes a fortnight after Parliament's Public Accounts Committee (PAC) published a damning report revealing that not a single NHS trust passed its cyber security assessment, revealing that some trusts had failed "soley because they had not patched their systems - the main reason the NHS had been vulnerable to WannaCry".

WannaCry affected 300,000 computers across 150 countries in May last year. The National Audit Office (NAO) found that at least 34% of NHS trusts in the UK were disrupted by the attack, leading to the cancellation of 6,900 appointments.

Although the NHS was not a target, it became swept up in the attack in light of its cyber security vulnerabilities, with critics pointing out that Windows XP is a major attack vector for hackers, given the lack of patches for security holes. However, an analysis of affected computers at the time, conducted by Kaspersky Lab, found that Windows 7 was responsible for 97% of infections, with Windows XP contributing a negligible number. Windows 10 was unaffected by WannaCry.

Shortly afterwards the Department of Health allocated 21 million to bolster the NHS' defences, as the government accepted the recommendations set out by the National Data Guardian and Care Quality Commission reviews into security standards carried out before WannaCry - but the trusts still failed the recent PAC assessment.

Deputy chief executive of NHS Digital, Rob Shaw, said: "The new Windows operating system has a range of advancements in security and identity protection that will help us to support trusts to keep their data safe from attacks and which will cover both desktop and mobile devices.

"The additional funding will mean we can add an extra layer of protection, whilst boosting our existing services, with real-time monitoring of NHS networks and the ability to see potential threats right down to individual NHS organisations."

When XP fell out of support four years ago, the government signed a 5 million custom support deal for computers still running the aged OS in the NHS, police and other public bodies, an agreement that ended in May 2015 despite many machines still stuck on XP.

When IT Pro spoke to the Metropolitan Police's CIO, Angus McCallum, earlier this year, he claimed the last machines running XP would be upgraded by May.

The Department of Health refused to disclose the cost of the Microsoft deal, saying this was commercially sensitivity information, but clarified it is not part of a wider 150 million investment over the next three years, announced this weekend, which includes money to set up a new NHS Digital Security Operations Centre.

IT Pro has contacted NHS Digital about the number of devices the Windows 10 upgrade will apply to, and the timescale for the project.

"The importance of helping to protect the NHS from the growing threat of cyber-attacks cannot be overstated," said Cindy Rose, chief executive of Microsoft UK. "The introduction of a centralised Windows 10 agreement will ensure a consistent approach to security that also enables the NHS to rapidly modernise its IT infrastructure."

Picture: Shutterstock

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.