This month our cybersecurity columnist wonders whether upgrading devices to Windows 10 will improve cyber-resilience and confront the serious security challenges faced by NHS trusts.
So, the Department of Health and Social Care has jumped into bed with Microsoft to improve cyber-resilience across the NHS by upgrading devices to Windows 10. While far from being a Windows 10 naysayer, I can’t help but wonder if this relationship will be able to deliver the levels of cyber-resilience it appears to promise.
Although the move to provide these operating system upgrades via a central licensing deal was prompted by last year’s WannaCry incident and the resulting post-mortem, the roots run much deeper than that.
In fact, it could be argued that it runs right back to when the last centralised Microsoft deal ended back in 2010, and trusts struggled to cope with the cost of updating.
The issue with updates
Sure, the agreement for the Microsoft Enterprise Threat Detection Service (ETDS) was signed after WannaCry, and in theory that should have made a difference as far as applying updates to legacy installation was concerned.
It didn’t, as it was deployed to just 30,000 devices by January this year, according to reports.
The Windows 10 deal is different, we are asked to accept, and will enable NHS trusts to automatically update their systems with the latest security patches and features as they become available, across the Internet, for free. Certainly, Windows 10 does make the updating process pretty easy in theory; in practise it can be quite different.
The current big update to Windows 10, known as the Creators Update, has just started rolling out. And reports of problems have started rolling in.
One sysadmin, not for an NHS trust I hasten to add, spoke of the update replacing domain users with a temporary profile as the default user, owned by the local admin account even if one doesn’t exist on that machine, and after the next login leaving the user with no files, no desktop item and permissions that don’t allow your previous access rights.
This is, of course, just one example; Windows 10 updates are pretty well known for being unpredictable.
The problem of legacy
Of course, these potential problems will only apply if you can actually upgrade to Windows 10 in the first place.
If we are talking legacy specialist equipment, of which there is a lot across the NHS landscape, then much of it just cannot be updated at all. Be it a driver problem or a hardware one, lots of this kit is too vital to scrap and too expensive to replace.
Just auditing everything to determine what is and isn’t capable of being upgraded to Windows 10, with minimal disruption, isn’t going to be easy or cheap.
And talking of costs, I understand that although trusts are not going to be forced into installing Windows 10 across the franchise by January 2020, those who don’t could find themselves up an IT support creek without a canoe.
According to reports central funding for Windows OS licenses will be withdrawn from those trusts who don’t opt-in to the Windows 10 deal.
Another consequence will be that the enhanced security provided by Windows Defender Advanced Threat Protection (WDATP) for bespoke legacy systems will also stop for these trusts.
Cyber-resilience framework
I can appreciate that the Windows 10 deal is part of a much larger cyber-resilience framework, and as Sarah Wilkinson, chief executive at NHS Digital says, “this is one of a suite of measures we are deploying to protect the service from cyber-attack.”
However, I think it is somewhat disingenuous to suggest that “a centralised Windows 10 agreement will ensure a consistent approach to security that also enables the NHS to rapidly modernise its IT infrastructure” as Microsoft UK CEO Cindy Rose has.
The NHS infrastructure isn’t that simplistic, cybersecurity isn’t that simplistic, and I’m not convinced that £150 million over the next three years will be enough to confront the serious security challenges faced by NHS trusts.
I do know that whatever OS is in use, it can only be as secure as the overall security posture of any trust allows.
2 July 2018 @ 18:28
With open standards, what is presented on the desktop should be consistent and the OS should be irrelevant.
The business model centred on the desktop should have been long-dead, and all credit to MS for stringing it out as long as possible but they have a credible cloud platform and now have less to worry about with the progression of the desktop to be a ‘white goods’ platform.
[White goods = like your fridge, you don’t care about it, it just works] and for all sorts of reasons, a *nix based desktop platform makes more sense for the NHS – e.g. a customised version of ubuntu. It is just embarrassing that NHSD have never made this happen.
28 June 2018 @ 23:09
The answer may well lie in RINA (Recursive InterNetworking Architecture) which all security-interested parties should read up on. The less data that lives on Windows PCs the better. There should be work going into a central, encrypted master copy of data and lower ‘life forms’ feeding on copies, also encrypted when it doesn’t matter what happens to that data – deletion, ransomware or theft. All will fail. This will require live real time updates from the active PCs an other lower life forms below the master.
3 July 2018 @ 13:00
@Roger Dodger But some people do care about their fridges; with water dispensers and shinny glosses, for some people its not just about function but how it makes them feel.
The *nix debate has been going on for years. Firstly you’d need to retrain your IT workforce who aren’t all geeks interested in *nix these days. To do this you need a form of decent accreditation and training programmes on mass. And then you need to change the whole IT estate and retrain close to million medical and administration staff, a lot of who are already familiar with Microsoft Windows from use at home, so the learning curve to something else is much higher. But before you do all this, you need a decision to do it, which means convincing a board of non-IT professional that its 100% the right thing to do, when to be honest nobody knows if would be.
5 July 2018 @ 21:25
I really do not believe Linux or any variant of it is the answer for the NHS, lets face it even if Linux was used on the desktop most of the applications and systems in use work on Windows only and that isn’t going to change, so likely Windows would just end up being presented to the Linux machine. Like we are finding in our Trusts with iPads, staff need Windows on them using VDI to be able to use some commercial systems that will not support anything other than Windows or Internet Explorer 11.
No reason why Linux isn’t viable in some parts of the NHS who use few clinical systems if they wanted to go down this route but for acute Trusts in particular this will never happen outside some niche and special use cases. While Microsoft is dominant in corporate and home it will continue to be so in the NHS, with most staff using IT because they need too, rather than because they particularly want too.