The government has indicated that there will be a blitz on removing obsolete technology from the NHS that poses a security risk.

Two reports issued today – Dame Fiona Caldicott’s latest report on data security and information governance and a Care Quality Commission Review of cyber security – both comment on the risk posed by outdated IT systems.

In response, life sciences minister George Freeman said: “We are working with suppliers, including Microsoft, to help health and care organisations update their systems and make sure they are safe to use and store data.”

He said that the Health and Social Care Information Centre “will launch an initiative to support this work later this year.”

The involvement of Microsoft is likely to be significant, since health is known to have a particular issue with the Windows XP operating system.

Although support for XP was withdrawn in April 2014, Digital Health Intelligence information suggests that around 20% of NHS organisations may still be using it as their main operating system, and that almost all will have some machines or devices still using the OS.

As reported in Digital Health Intelligence’s Cyber Security Hub recently, a virus that used the OS took down the pathology service of the Royal Melbourne Hospital in Australia in the new year.

In its review, the CQC says that “computer hardware and software that can no longer be supported should be replaced as a matter of urgency.”

The CQC was asked to look at the availability of patient information to those who need it, at how that information is protected from alteration, damage and loss, and at confidentiality. To do this, it visited 60 NHS sites across England, and collected staff views on its key concerns.

Its findings start on an optimistic note, by saying it found “an evident, widespread commitment to data security” in the NHS, but go on to note many issues with it.

The review says that while data security policies and procedures are “in place” at many sites, “benchmarking with other organisations was all but absent” – as was external validation of security arrangements.

It also notes that “day to day practice did not necessarily reflect [policies]” and that where data security systems and protocols were poor or clunky staff had a tendency to develop work arounds, “an issue especially evident in emergency medicine settings.”

Similarly, it argues that while there were ‘just’ 533 reported data breaches in the year to 31 May 2015, while there were 6.5 billion electronic data transactions, its researchers found “many examples of bad practice which could have led to a data breach.”

The review goes on to make a large number of detailed recommendations, grouped around the mantra of good security being a matter of people, policies, and technology, and including examples of what both good and bad practice looks like.

It says every organisation needs clear ownership and leadership on data security, and that staff should be given “the right information, tools, training and support” to deliver it; while still doing their jobs.

In line with one of the messages of Dame Fiona’s higher profile report, the CQC says trusts should strengthen their IT security arrangements “to a level similar to those assuring financial integrity and accountability” and make more use of external validation.

Finally, the review confirms that the CQC will amend its assessment framework and inspection approach to include the new data security standards recommended in Dame Fiona’s report and now out for public consultation.