This month our cybersecurity columnist wonders whether upgrading devices to Windows 10 will improve cyber-resilience and confront the serious security challenges faced by NHS trusts.
So, the Department of Health and Social Care has jumped into bed with Microsoft to improve cyber-resilience across the NHS by upgrading devices to Windows 10. While far from being a Windows 10 naysayer, I can’t help but wonder if this relationship will be able to deliver the levels of cyber-resilience it appears to promise.
Although the move to provide these operating system upgrades via a central licensing deal was prompted by last year’s WannaCry incident and the resulting post-mortem, the roots run much deeper than that.
In fact, it could be argued that it runs right back to when the last centralised Microsoft deal ended back in 2010, and trusts struggled to cope with the cost of updating.
The issue with updates
Sure, the agreement for the Microsoft Enterprise Threat Detection Service (ETDS) was signed after WannaCry, and in theory that should have made a difference as far as applying updates to legacy installation was concerned.
It didn’t, as it was deployed to just 30,000 devices by January this year, according to reports.
The Windows 10 deal is different, we are asked to accept, and will enable NHS trusts to automatically update their systems with the latest security patches and features as they become available, across the Internet, for free. Certainly, Windows 10 does make the updating process pretty easy in theory; in practise it can be quite different.
The current big update to Windows 10, known as the Creators Update, has just started rolling out. And reports of problems have started rolling in.
One sysadmin, not for an NHS trust I hasten to add, spoke of the update replacing domain users with a temporary profile as the default user, owned by the local admin account even if one doesn’t exist on that machine, and after the next login leaving the user with no files, no desktop item and permissions that don’t allow your previous access rights.
This is, of course, just one example; Windows 10 updates are pretty well known for being unpredictable.
The problem of legacy
Of course, these potential problems will only apply if you can actually upgrade to Windows 10 in the first place.
If we are talking legacy specialist equipment, of which there is a lot across the NHS landscape, then much of it just cannot be updated at all. Be it a driver problem or a hardware one, lots of this kit is too vital to scrap and too expensive to replace.
Just auditing everything to determine what is and isn’t capable of being upgraded to Windows 10, with minimal disruption, isn’t going to be easy or cheap.
And talking of costs, I understand that although trusts are not going to be forced into installing Windows 10 across the franchise by January 2020, those who don’t could find themselves up an IT support creek without a canoe.
According to reports central funding for Windows OS licenses will be withdrawn from those trusts who don’t opt-in to the Windows 10 deal.
Another consequence will be that the enhanced security provided by Windows Defender Advanced Threat Protection (WDATP) for bespoke legacy systems will also stop for these trusts.
I can appreciate that the Windows 10 deal is part of a much larger cyber-resilience framework, and as Sarah Wilkinson, chief executive at NHS Digital says, “this is one of a suite of measures we are deploying to protect the service from cyber-attack.”
However, I think it is somewhat disingenuous to suggest that “a centralised Windows 10 agreement will ensure a consistent approach to security that also enables the NHS to rapidly modernise its IT infrastructure” as Microsoft UK CEO Cindy Rose has.
The NHS infrastructure isn’t that simplistic, cybersecurity isn’t that simplistic, and I’m not convinced that £150 million over the next three years will be enough to confront the serious security challenges faced by NHS trusts.
I do know that whatever OS is in use, it can only be as secure as the overall security posture of any trust allows.