Industry voice: Health and care organisations across England can now take cyber security to the next level following a deal between NHS Digital and Microsoft aimed at minimising disruption to NHS services and patients from cyber threats
The organisation’s Custom Support Agreement with Microsoft provides the building blocks for a more secure IT environment for health and care organisations – and demonstrates the wider potential for protecting the public sector through such a collaborative approach.
The spectre of cyber attacks has cast a shadow over the public sector since the first days of computerisation. But recent successful and high-profile attacks affecting local government and the NHS have brought home the harsh realities of such events.
Cyber attack is classed as a tier one threat to the country and one can see why: when WannaCry struck, a number of hospital systems were shut down, appointments and operations postponed, and some trusts were unable to function normally for several days.
Machines running the older versions of Windows operating systems, especially Windows XP and Server 2003, are particularly vulnerable to cyber threats as support for these is no longer available under ordinary licences.
NHS Digital was able to mitigate much of the impact with its existing capabilities. Its Data Security Centre monitored the threats and the CareCERT service provided alerts and guidance to organisations on how best to respond to the crisis.
But it was impossible to protect devices running on the out-of-date operating systems that lacked the software to protect them against the threats. Unfortunately, simply upgrading these devices quickly was not always possible – many of them run sophisticated medical equipment or are provided within specialist supplier applications.
Aware of this potential threat, NHS Digital and Microsoft had already identified the risks and were in the process of drawing up a contract to provide support for organisations using those older systems. The Custom Support Agreement (CSA) was made available in August, and will give organisations in all areas of health and care an improved level of security while they plan their migration to more up-to-date operating systems.
Andrew Haywood, senior project manager in NHS Digital's Data Security Centre, says: “We were already doing a lot of the key activity, but the attacks brought this into the spotlight and the Microsoft deal was signed to enhance that capability and to look at areas where we could improve.”
The CSA raises collective risk management capabilities to a much higher level, improving the protection not just of individual IT systems but the whole operation.
There are a handful of key elements to the CSA. The one with the most immediate relevance following WannaCry is the patching service, in which a Microsoft team continues to monitor the cyber landscape and quickly develop software patches for legacy systems to deal with any known threats. This includes provision of best practice and guidance around installation of these patches.
A sophisticated Enterprise Threat Detection (ETD) service provides a centralised approach to monitoring any potentially malicious cyber activity. It analyses device data intelligence in real time, identifies threats and aims to reduce the likelihood and impact of security breaches or malware infection across the NHS.
Currently, eligible organisations need to contact the NHS Digital programme team to take up the ETD; but Haywood says the team is working on a self-service onboarding guide. This should enable organisations to examine how the service would work for them and then activate it themselves.
“It’s a more forward-looking capability,” Haywood says. “We already have CareCERT for monitoring and alerts, but ETD will give us more data on what’s going on and what can be done to change it.”
Centre of Excellence
Then there is the Cyber Security Centre of Excellence for Health and Care. This combines NHS Digital’s capabilities in the field with Microsoft’s expertise and contributes to future proofing the IT estate. Consultancy services within the agreement help NHS Digital to develop best practices in specific areas, such as patch management, as well as rapidly call down consultancy services to respond to cyber events.
In addition, the agreement also includes a workstream supporting migration from those outdated operating systems to Windows 10.
This is a crucial move as general support will also be withdrawn from the system’s widely used predecessor, Windows 7, in 2020. Organisations using Microsoft software should be thinking about this as their next step.
Windows 10 raises the security bar higher than previous versions of the operating system with a number of crucial capabilities in its ‘secure by design’ toolbox. One is that if the operating system detects any sign of an outsider attempting to interfere, it will go into an emergency state and inform the administrator that it could be under attack.
Process not project
Another lies in the programme of semi-annual updates of the operating system, which includes the provision of the most up-to-date security functions. This means that administrators will only have to manage iterative changes within the system every six months, rather than a full-scale migration project every few years. This changes the dynamic to a process rather than a project, and sharply reduces the risk of systems becoming vulnerable as organisations put off major upgrades.
Then there is Windows Defender Advanced Threat Protection, which collects extra cyber data going through a dedicated cloud service that uses machine analytics and can react directly on behalf of the organisation. It can take feeds from across the IT estate and makes it possible to track any worrying activity right down to the specific device level.
The deal with NHS Digital is available to all organisations involved in health and care in England, extending to different types of trusts, clinical commissioning groups, local authorities and care homes. For those that are still dependent on Windows XP or Server 2003 it provides an essential step in protecting their systems, and their whole delivery of care, until they can manage the migration to the new, more robust operating system, Windows 10.
It is an approach that is also open to the rest of the public sector. Other CSAs are in place with other parts of the public sector, and there is the potential for more to meet the needs of different services and protect them from future threats. The goal is to strengthen the security of existing Microsoft enterprise operating system estates and promises to equip organisations with the means to resist cyber threats into the long term.
NHS Digital’s CSA with Microsoft is available for use by health and social care organisations across England. For more information contact the Data Security team at NHS Digital: firstname.lastname@example.org
For more information on Microsoft’s cyber security services contact: email@example.com
UKA Live puts the spotlight on cyber security in its webcast, 11:00, 1st December 2017.
Click here for more information and to join us live
Image from iStock/matejmo