The UK’s National Health Service (NHS) will move all its computers to Windows 10 as part of a plan to bolster cybersecurity after its WannaCry ransomware fright last May.
The NHS has locked in a “multi-million” centralised Windows 10 deal with Microsoft and will be spending £150 million from the government over three years to improve cybersecurity across the nation’s NHS trusts.
As part of a previously announced £60 million package delivered in the wake of WannaCry, NHS will be spending £21 million to upgrade firewalls and network gear at major trauma centre hospitals and ambulance trusts; £39 million has already been spent by NHS trusts to fix infrastructure weaknesses.
The WannaCry outbreak, which the UK has since blamed on North Korea, exposed serious weaknesses in the NHS’ patching regimen.
The attack affected a third of NHS trusts and caused over 6,900 appointments to be cancelled. The NHS however estimated 19,000 appointments would have been cancelled in total during the time services were disrupted based on historical follow-up appointment rates.
A recent report by the Public Accounts Committee said the NHS was “lucky” the attack occurred on a Friday afternoon in summer rather than a peak period in winter.
The Committee chair said it was “alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed”.
At the time of the attack approximately five percent of NHS PCs were running Windows XP, which is only supported through custom contracts with Microsoft, and the remainder of impacted systems were running the still supported Windows 7.
WannaCry spread using a leaked NSA-developed exploit for Windows systems known as EternalBlue. Microsoft had released a patch for the vulnerability in its March Patch Tuesday update, however at the time of the attack only around two-thirds of NHS machines had Microsoft’s latest patches installed.
Every machine missing the March patches were vulnerable to WannaCry. Microsoft has claimed that Windows 10 in-built defenses were impervious to WannaCry and the later NotPetya malware attack.
The incident would have been classified as a "category 2" incident the UK National Cyber Security Centre's new framework for ranking cyber attacks since it didn't cause loss of life.
During the attack NHS email services were unavailable, forcing staff to communicate using their own mobiles or WhatsApp. To avoid this problem in future the NHS has implemented a new text messaging alert system.
NHS Digital CEO Sarah Wilkinson highlighted that Windows 10 had a range of “advanced security and identity protection features”.
The deal with the Windows maker gives NHS access to a security intelligence feed from Microsoft’s Windows Defender Advanced Threat Protection (ATP) service which goes directly to the recently established central NHS Security Operations Centre.
Health Secretary Jeremy Hunt said: “We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS against this threat.
“This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.”