The NHS Windows 10 upgrade is likely a response to the crippling WannaCry attack of May 2017, which affected more than a third of English trusts and forced the cancellation of at least 6,912 appointments.
According to the BBC, NHS Digital had assessed the cybersecurity standards of 88 out of 236 trusts prior to the attack — none passed.
Now, the U.K.’s Department of Health and Social Care has announced changes to allow all NHS organizations to upgrade to the Windows 10 operating system. Such an undertaking will no doubt take time — perhaps years — so the associated cyber risks or security benefits won’t come into play just yet. Additionally, maturity varies dramatically across the NHS. The DoH will need to tailor its assistance based on the capabilities of each individual entity; for example, if some 5,000 GP surgeries connected on the same network have no internal IT resource, how will they manage the upgrade? How the DoH will manage oversight of the upgrade initiative also remains in question.
The NHS Windows 10 upgrade will bring with it new anti-ransomware security features such as Window Defender Exploit Guard, Exploit Protection and Attack Surface Reduction, among others, surely aimed at defending the next WannaCry-style attack. While these features no doubt harden the latest Windows operating system, we took a look at how recent vulnerabilities stacked up between Windows 10 and older versions.
Windows 10 Vulnerabilities
Windows 10 has seen more vulnerabilities published from 2017 to date (as of the publication of this post) than Windows 7 and 8 in that time frame.
Looking at vulnerability tallies alone, though, can be misleading as many factors contribute to this figure. More vulnerabilities doesn’t necessarily mean Windows 10 is less secure; rather, it could signify more resources are being used to identify vulnerabilities with the goal of improving security. Also, when looking over a longer period of time, Windows 7 and 8 have more vulnerabilities as they have been around longer — and targeted by attackers for longer — than the latest version, and fewer vulnerabilities are being discovered in these OS as time goes on.
Mac vs. Linux vs. Windows 10 Vulnerabilities and Exploits
When looking at vulnerabilities exploited in the wild by OS, Windows is the most exploited with 18 exploits in the wild from the beginning of 2017 to date. In the same time, Mac OS X had just one such vulnerabilities while Linux Kernel had zero.
But again, understanding the security of the OS is about more than numbers alone. Due to Windows ubiquity, especially in the business world, this provides attackers with a larger — and potentially more lucrative — user base on which to unleash their exploit.
Is the NHS Windows 10 Upgrade The Right Decision?
Only time will tell if the NHS Windows 10 upgrade improves the security of their trusts. The new security features do seem to be poised to modernize the system’s cybersecurity, especially its attempts to protect against the current, ransomware-obsessed threat landscape.
Its vulnerabilities will have to be dealt with, as always, in context by understanding their intersection with assets, network infrastructure and exploits in the wild. Hanging too many hopes on a new OS its whiz-bang features is a surefire way to please attackers who see those same features for their potential: more vulnerabilities.
Windows 10 does bring with it the cumulative update approach where all patches for the month are rolled into a single update, forcing organizations to patch more than just critical-severity vulnerabilities. However, we’ve seen how this can be a double-edged sword, as reluctance to install one patch can delay the implementation of the cumulative update. Additionally, many IoT and operational technology devices will likely not be upgraded for various reasons and may remain unpatcheable. Thus identifying patching alterantives such as IPS signatures, ACL changes, etc. will be more important now to the NHS than ever.
Allowing NHS trusts to upgrade to Windows 10 is only part of a security jigsaw puzzle that will take many years to complete. Without a clear picture of what they’re trying to create, the 500+ entities tasked with piecing it all together may find coordination the most difficult challenge of all.
*As of the date of this publication
Orangeworm and Abbott Shed Light on Healthcare Cyberthreat: The Orangeworm attack targeting healthcare organizations and vulnerabilities in Abbott cardiac devices raise fresh concerns of cyber issues in industry
March Patch Tuesday and AMD Processor Vulnerability: Microsoft’s March Patch Tuesday includes CredSSP RCE vulnerability present in every version of Windows to date, and serious flaws announced in AMD processors