NHS England plans national 'core software' deal to patch cyber holes

Mr Swindells, NHS England’s director of operations and information, told HSJ the commissioning body would seek additional funding for cybersecurity from the government as part of its capital ask in the autumn budget.

He would not be drawn on how much money was needed to shore up the NHS’s cybersecurity, but indicated it was likely to be in the hundreds of millions. “It’s a not insignificant amount,” he said.

The NHS needed to start viewing IT infrastructure, such as computers and networks, as a “core part of facilities” alongside other parts of its estate, he added.

Mr Swindells also confirmed NHS England was in talks with Microsoft about a new central licensing agreement covering “core software” to be used across the entire NHS, with a particular focus on cybersecurity.

He said: “Some stuff we will license on behalf of the NHS, because it is better value to do it like that, and some stuff is where we’ll say ‘if you are doing this locally, here’s a standard to buy against’.”

The agreement would likely not be as extensive as previous national agreements with the software giant. The Department of Health ended its last national agreement with Microsoft in 2015, a decision that was criticised after the WannaCry attack in May.

Mr Swindells declined to say the extent to which the core software agreement would be funded centrally.

The state of the NHS’s ageing IT infrastructure has come under scrutiny since the ransomware attack on 12 May, which infected at least 47 trusts and led to the cancellation of more than 15,000 appointments and operations.

In weeks since, several trusts that were infected in the attack have blamed a history of under investment in IT infrastructure. However, as HSJ’s analysis revealed last month, at least one in five trusts did not properly apply a Windows security update, or patch, that would have protected them from the virus.

This was despite NHS Digital’s CareCERT team sending several “critical alerts” urging organisations to apply the patch in the weeks before the attack.

The government’s response to the third Caldicott review, published in July, placed new requirements on NHS boards to take responsibility for cybersecurity and act on CareCERT alerts. It also included £21m to improve cyber resilience at major trauma centres.

Mr Swindells said trusts that had kept investing in IT infrastructure were unaffected by the attack and there were clearly organisations that had not taken cybersecurity seriously enough.

“Not all organisations were receiving and dealing with CareCERT alerts well. What I think we’ve been really clear with since the cyberattack is [that] that’s not acceptable,” he said.

Any new core software central agreement and capital funding would focus on improving network security and consistency within trusts, in particular patching, to ensure security updates were applied quickly, he said. 

“We have organisations where in order to apply the latest patch you have to walk to every PC. That is not sustainable,” Mr Swindells said.

NHS England’s request for capital funding will be based on an ongoing review, led by chief information officer Will Smart, into the service’s cybersecurity risks and gaps in the wake of the WannaCry attack.

Mr Swindells said one of the early findings of review was the poor cybersecurity of medical devices, which often ran software dependent on unsupported systems, with suppliers not considering cybersecurity a priority.

He said: “There are conversations with people that are providing medical devices to us around the standard they need to adopt to be acceptable supplier to the NHS.” Concerns have recently been raised about scanners and infusion pumps being reliant on aging and potentially vulnerable technology.

Mr Smart’s review is expected to published in the autumn.