NHS Digital signs cyber security agreement with Microsoft

Support contract comes three months after NHS hit by global ransomware attack that targeted Windows computers

In the wake of the global WannaCry ransomware attacks, NHS Digital has signed a cyber security support agreement with Microsoft.

The WannaCry attacks in May 2017 highlighted the vulnerability of unpatched operating systems, with the attack exploiting a vulnerability that had been patched by Microsoft two months before.

The WannaCry attacks also highlighted system-wide issues around lack of infrastructure investment and the need for cyber security training and awareness among NHS staff.

Although computers running Windows 7 were most heavily affected, WannaCry once again highlighted the fact that the NHS continues to rely on Windows XP, despite the fact that the government decided to end extended support for this obsolete operating system in April 2015. 

WannaCry, which caused major disruption across the NHS, thrust the risk of unpatched operating systems into the spotlight, and just three months later NHS Digital has put measures in place to ensure Windows XP machines will once again get security updates.

Although WannaCry was not specifically targeted at the NHS, it raised questions about the resilience of the service’s IT systems.

In July 2017, the government announced it would boost investment in NHS data and cyber security above the £50m identified in the Spending Review to address key structural weaknesses, such as unsupported systems.

The additional funding is part of a package of measures to improve NHS cyber security, announced by the government in response to a review on data security and data sharing in the health and social care system by national data guardian Fiona Caldicott, published in July 2016.

In announcing the additional cyber security funding, the government said an initial £21m would be targeted at increasing the cyber resilience of major trauma sites as an immediate priority, and improve NHS Digital’s national monitoring and response capabilities.

Read more about the NHS cyber attack

The custom support agreement that covers all NHS organisations in the UK until June 2018 includes security updates for Windows XP, Windows Server 2003 and MS SQL 2005. According to the government’s response to the Caldicott review, Windows XP support will be withdrawn from 2018.

In the light of this deadline, NHS Digital claims that only 4.7% of trusts use Windows XP, which is down from 18% in the past 18 months.

In line with the spending announcement, Microsoft will also provide NHS Digital with a “centralised, managed and coordinated framework for the detection of malicious cyber activity through its enterprise threat detection software”, according to a statement by NHS Digital. 

This service “analyses intelligence and aims to reduce the likelihood and impact of security breaches or malware infection across the NHS,” the statement said.

According to NHS Digital, the new contract with Microsoft is in line with similar agreements between Microsoft and other government departments.

"One of NHS Digital's key roles is to work closely with other national partners to explore and provide additional layers of cyber security support to NHS organisations when they need it - with the aim of minimising disruption to NHS services and patients,” the statement said.

Read more on Hackers and cybercrime prevention