Windows 10 upgrade: NHS gets deadline for making the jump

UPDATED: One of the world's largest organisations is now planning for a series of major upgrade projects.
Written by Danny Palmer, Senior Writer

NHS organisations have been given a deadline for getting their Windows 10 upgrade plans in place -- or risk losing out on funding for future upgrades.

Vast swathes of the NHS still rely on Windows 7, and even Windows XP operating systems, but there's now a push to modernise and a date has been set for upgrading to Microsoft's new operating system.

The NHS has signed a deal with Microsoft for NHS trusts to upgrade to Windows 10. A Department of Health spokesperson wouldn't tell ZDNet how much the government is spending on the purchase of Windows 10 for NHS systems, citing the information as "commercially sensitive" but said the contract is set to run for five years - expiring in 2023.

"All NHS organisations joining the Windows 10 agreement must commit to migrating to Windows 10 by no later than 14th January 2020," NHS Digital told ZDNet.

That date is also the final day that Windows 7 will be supported by Microsoft; mainstream support ended on 13th January 2015.

See more: 20 pro tips to make Windows 10 work the way you want (free PDF)

While NHS organisations aren't obliged to commit to the process of installing Windows 10 by January 2020, an NHS spokesperson told ZDNet that central funding for future IT upgrades won't be made available for those that choose not to opt-in to the Windows 10 agreement.

"Central funding for Windows operating systems licenses will not be available to organisations that are not part of the service," they said in an email.

"Also, the enhanced cyber protection that WDATP (Windows Defender Advanced Threat Protection) enables at both local and NHS enterprise-wide level will not be available as the local organisation will not be connected," they added.

There's currently no details on how individual Trusts will be rolling out upgrades or how it will be done without impacting services, especially given the 24/7 nature of the NHS. However, a Microsoft spokesperson told ZDNet that the Windows 10 rollout will not cause disruption to NHS services.

"Microsoft has been working with a community group of Windows 10 deployment and application compatibility and migration specialists to ready them to support the NHS on delivery. We are confident in their ability to deploy Windows 10 with minimum disruption," they said.

There's also the issue of bespoke legacy systems which simply can't be upgraded to Windows 10. The NHS said Windows Defender Advanced Threat Protection will still be applied to these systems, although admitted "the functionality for Windows 7 devices is not as comprehensive as for Windows 10".

However, the organisation insists that legacy devices which aren't capable of receiving the upgrade or being replaced will still be protected, with the individual trusts affected provided with advice.

"Devices which can't be updated or replaced at this time without disrupting the provision of care can be protected from cyber threats in a variety of ways and we will provide support and advice to Trusts on an individual basis to meet their own needs in such cases, as well as distributing advice and guidance about options to enhance protection," Chris Flynn, Head of Operations at NHS Digital's Data Security Centre told ZDNet.

"This deal will enhance protection for the majority of the NHS estate," he added.

The announcement of the Windows 10 upgrade comes almost a year on from the WannaCry ransomware outbreak. While the attack was indiscriminate in its targeting, infecting organisations around the world, the NHS was a high profile victim.

See more: Special report: Cybersecurity in an IoT and mobile world (free PDF)

A number of hospitals and GP surgeries were taken offline by the attack, forcing the NHS to cancel thousands of appointments and procedures across the country. In some instances, normal service wasn't resumed for weeks.

WannaCry ransomware was spread by EternalBlue, a leaked NSA vulnerability which targeted Windows systems. Almost all victims of the outbreak were running Windows 7, which is still used widely throughout the NHS.

Many NHS Trusts hadn't applied the Microsoft emergency patch to protect against EternalBlue - a failure which has been heavily criticized since.

The Windows 10 deal will see security updates applied as they become available and all systems equipped with Microsoft's Defender anti-malware software, and Smartscreen, which performs reputation checks on websites in order to block malicious ones.

"The new Windows operating system has a range of advancements in security and identity protection that will help us to support trusts to keep their data safe from attacks and which will cover both desktop and mobile devices," said Rob Shaw, deputy chief executive of NHS Digital.

A recent report by MPs warned that the NHS still isn't prepared to face future cyber attacks and described the handling of WannaCry by both the NHS and the government as a "wake-up call", saying both need to do more to ensure systems are protected against future threats.

Nonetheless, despite the promise of added security via the upgrade to Windows 10, an NHS Digital statement points out "no system is completely impenetrable".


Editorial standards