Microsoft and NHS Digital sign new agreement for cybersecurity

NHS Digital has signed a new agreement with Microsoft, which includes patches for all its current Windows devices operating XP.

The custom support agreement will cover all NHS organisations in the UK with the contract running until June 2018, as part of NHS Digital’s cybersecurity efforts.

The new agreement will mean that Microsoft will provide NHS Digital with a “centralised, managed and coordinated framework for the detection of malicious cyber activity through its enterprise threat detection software”, said a NHS Digital spokeswoman.

This software “analyses intelligence and aims to reduce the likelihood and impact of security breaches or malware infection across the NHS”.

The agreement will provide patches and updates for all existing Windows devices operating with Windows XP, Windows Server 2003 and SQL 2005.

A new support deal for redundant Microsoft software was referenced in the government’s response, published 12 July, to Dame Fiona Caldicott’s review into data protection from last summer.

The government response referred to “working in partnership with Microsoft to help mitigate the immediate risks associated with unsupported software”.

The report said Windows XP support will be withdrawn nationally from 2018. According to NHS Digital figures 4.7% of trusts which use Windows XP, down from 18% in the past 18 months.

It noted, “central support for NHS Digital’s national applications operating on outdated platforms will be phased out, with Windows XP support being withdrawn from 2018”, the report states.

“Local organisations should be aiming to have isolated, moved away from or be actively managing any unsupported systems by April 2018.”

The NHS’ vulnerability to cyber-attacks was thrown into sharp relief in May’s WannaCry malware attack, where hackers exploited a known single Microsoft vulnerability.  The global cyber-attack hit the NHS particularly hard, with 20% of trusts affected.

Rob Shaw, the acting chief executive of NHS Digital, has defended the agency’s response to the cyber-attack and described WannaCry as the “hardest dress rehearsal of what could happen if things really went wrong” in a cyber-attack.

Microsoft stopped providing support for Windows XP in April 2014 but according to Digital Health Intelligence 2015 data on NHS infrastructure, as many as 20% of NHS organisations could still be making use of it, and around 90% are thought to run something on it somewhere in their organisation, often in clinical systems or imaging equipment.