• National contract for Microsoft Windows 10 close to being signed
  • Will be nationally funded, likely through software licensing
  • Comes as MPs urge the government to move faster on cybersecurity after WannaCry attack

The NHS is close to signing a new national contract with Microsoft to provide Windows 10 nationally, as the first anniversary on WannaCry cyberattack approaches, HSJ can reveal.

Several sources familiar with the deal confirmed NHS Digital, which is responsible for cybersecurity in the NHS, was near to signing a national agreement.

Microsoft windows

The contract could cover upgrades to hundreds of thousands of NHS devices

The deal will provide national funding for Windows 10 for all NHS organisations, likely in the form of free licenses, sources told HSJ.

The last national licensing contract between Microsoft and the NHS, which was dropped by the Department of Health and Social Care in 2010, was worth £500m over 12 years. The new deal is likely to be less generous and cover fewer products.

An executive update to Dorset Clinical Commissioning Group’s board last month raised concerns about insufficient financial support to upgrade IT hardware to support Windows 10.

It said: “With no additional funding there is a very real risk that our trusts will not be able to afford the costs of replacing our existing aged desktop/laptop hardware with new compatible devices. I am reviewing options available to us as a system to address this situation.”

The update said the deal would not cover Office 365.

The news comes after the Commons public accounts committee released its review on Wednesday of the impact on the NHS of last May’s global WannaCry ransomware attack.

More than 80 NHS trusts and hundreds of GP practices were disrupted by the virus, leading to ambulance diversions and thousands of appointments being cancelled.

Critics have cited the DHSC’s decision in 2010 to leave trusts to manage and pay for their own Microsoft software licensing as contributing to the poor preparedness of the organisations disrupted by WannaCry.

Reviews of the attack have highlighted lack of investment in IT infrastructure, including not updating and replacing older versions of the Windows operating system, such as XP, as factors.

The latest review said parts of the NHS were “ill prepared” for WannaCry and central bodies have not moved fast enough since to help trusts defend against further attacks and prioritise investment in cybersecurity.

In August, NHS England national operations and information director Matthew Swindells told HSJ that after WannaCry some core IT functions clearly needed to be handled nationally. He confirmed discussions were taking place with Microsoft about licensing “core software” nationally for the NHS.

Following an NHS England review in February, the DHSC announced that over the next three years at least £175m would be shifted from other national IT projects to boost cybersecurity.

HSJ understands the new Microsoft contract will be paid for from this fund.

The deal is not the first between Microsoft and NHS Digital since WannaCry. In January, NHS Digital agreed to pay the company £5m a year to boost its cyberthreat detection capabilities.

The national deal to supply Windows 10 would be a much broader agreement, potentially covering upgrades to hundreds of thousands devices in the NHS.

NHS Digital runs the national IT infrastructure for the health service, including NHSmail, the NHS Spine and the Health and Social Care Network. In 2015, it established CareCERT to monitor cyberthreats and help providers prepare and respond to attacks.

Microsoft and NHS Digital were both approached for comment.