show image

Exclusive: the NHS paid £159m to upgrade to the latest version of Windows

The NHS paid £158.5m to buy a Windows 10 licence for the entirety of its computing stock, a contract notice seen by NS Tech reveals.

The government announced in April that it had signed a deal to upgrade to the latest version of the Microsoft operating system, but refused to disclose the value of the deal, citing commercial sensitivities.

But in a contract notice published last week, the Department for Health revealed it had paid Bytes Software Services, a reseller, £158.5m for a five year Windows 10 software licence.

When the deal was announced, the government said it would boost the health service’s cyber defences following the WannaCry cyber security attack last May.

The virus spread through thousands of organisations around the world, and hit the health service particularly hard. The NHS was acutely vulnerable because many of its computers were running unpatched versions of Windows. In some cases, hospitals were running XP systems that were no longer supported and could not be patched.

“We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS against this threat,” said the then health secretary Jeremy Hunt. “This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.”

The deal came in addition to a £150m pot for boosting the NHS’s cyber resilience in the wake of the WannaCry attack. As part of that fund, the government pledged to set up a new cyber security centre, valued at up to £30m, that will be staffed by white hat hackers from IBM.

Professor Alan Woodward, a cyber security expert at the University of Surrey, suggested that while the size of the deal is very large, it may represent good value given that the NHS’s computing stock is one of the largest in the world. “It’s not unusual for a bank to spend £70m,” he said.

The government’s £150m investment in NHS cyber security will fund the implementation of 22 recommendations drawn up in light of WannaCry, but, nearly 12 months on from the attack, the government is yet to announce when they will be put into practice.

A source told NS Tech in April that the Department for Health and Social Care was in the process of writing the business case for the recommendations, before presenting the specifics to Downing Street.