For anyone in the NHS (and that’s around 1.5 million people) one of the more memorable events in 2017 will, sadly, be the WannaCry attack that struck back in May. The announcement that the NHS has agreed to a deal to make Windows 10 available to all NHS trusts couldn’t have come as more welcome news.
Over 600 primary care organizations, nearly 600 GP surgeries and 27 acute trusts were hit. Nearly 20,000 appointments had to be canceled. Every IT team had to spend valuable time and effort investigating if they’d been attacked and ensuring patches and configurations were up to date even if they hadn’t been a victim.
A surprising finding from the attack investigations was that the vast majority of systems affected were running Windows 7, not Windows XP as was initially thought. Windows 7 is a relatively modern OS so why should it have suffered so badly? Another key finding of the inquiries was that routine maintenance was being skipped: “over half the local NHS organizations reported they had not patched systems when required”.
As the National Audit Office report found, “It was a relatively unsophisticated attack and could have been preventing by the NHS following basic IT security best practice.”
This lack of patching may have been for what seemed like a good reason at the time. The commonly held fear was that applying the patches could have caused unnecessary downtime for clinical services. Clearly, that was one trade-off too many.
The lessons have been learned: it’s now widely recognized that staying current is critical to running secure, reliable systems.
As Kenny Covington, Systems Administrator at Riverside Health said, “If there’s a lesson in last month’s unfortunate events, it’s that none of us should rest on our laurels. The more up-to-date your software, patches, and operating system are, the better. WannaCry is a loud wake-up call reminding us that we all need to stay current. As a result, we’re planning to accelerate our move to Windows 10.”
Windows 10 seems to have arrived at just the right time. As Microsoft describe it, the best security is that which is built in from the foundations upwards. It’s not sufficient (and too expensive) to try to build higher and higher walls to prevent an attack with increasingly complex add-on security products, and that is exactly what they’re delivering with Windows 10.
However, as many organizations, including NHS Trusts, start to deploy Windows 10, they’re also starting to understand the implications of the new “Windows as a Service” support model. There are two key aspects of this to consider. Firstly, there will be two “Feature Updates” per year as well as monthly Quality Updates and each build on the previous to further enhance security. Secondly, each release will only be supported for 18 months, and it’s critical to keep current to continue receiving those critical security updates.
For many, that’s looking like a daunting prospect. If Trusts couldn’t keep up with the rarely updated Windows 7 current, how will they cope with the flood of changes coming with Windows 10?
There is good news though. Microsoft has made the upgrade process more reliable and easier to use than ever before (although enabling advanced security measures would still need manual intervention with traditional deployment methods) and, by having frequent and relatively small changes, the potential downtime and impact can be dramatically reduced.
Importantly, this servicing model needs planning to reduce impact and ensure it becomes “business as usual.”
Microsoft and 1E recently collaborated on a webinar detailing the challenges facing the NHS, looked at best practices for managing Windows 10 updates, and provided recommendations for building a successful Windows servicing system.
With only around 400 working days until the end of support for Windows 7, there’s no time to lose in getting Windows 10 upgrade and servicing systems in place. It’s not too late yet, but the earlier you can start, the less disruption and cost will be involved.