Critical IT Continuity Planning for a Secure Microsoft 365 National Health Service

In a time when effective healthcare has become the number one global priority, it’s absolutely critical we ensure the resilience of these services from attack or technical failure.

It’s on this backdrop that I consider the announcement this week, that a deal struck between NHSX, NHS Digital and Microsoft, will save the NHS hundreds of millions of pounds while giving 1.2 million staff access to Microsoft 365 security (formerly known as Office 365) and productivity tools. This will include GPs, consultants, nurses, therapists, paramedics and support staff, who will all have access to services within Microsoft 365.

Make no mistake this is positive news. Digital transformation in UK’s healthcare system is a mammoth and much-needed undertaking - one that certainly will bring many benefits to improve productivity, collaboration and better health outcomes for patients. For example, Microsoft Teams has already been used across many NHS organizations to collaborate, share information securely and support new ways of working during the COVID-19 pandemic.

But as recent Microsoft service outages remind us, no one IT system is infallible and every organization needs a business continuity plan for when key services fail.

Exchange Online Downtime

On Monday, thousands of Microsoft 365 users in Australia and New Zealand reported problems accessing the service just as the working day started. Later in the day, similar issues started occurring in Europe. Both incidents were thankfully remediated within a few hours.

Frustrated IT professionals took to social media to share stories of frustration, SLA advice and memes to let off steam. And there was nothing they could do but wait until Microsoft acknowledged and then fixed the problem.

Wait a minute… or was there something each IT team could have done?

This is yet another prime example what happens when you flatten all of your protections, services and applications into one dependent system. Microsoft 365 security concerns aside, every IT leader today grew up knowing the need for independent backup and continuity when their systems were on-premises.

However smart that new cloud system is, human error or technical failure can occur, leaving you at the mercy of your outsourced vendor. The productivity gains you made from moving to cloud suddenly start to dissipate and the reputation of cloud services overall take a hit.

It’s up to each individual organization to measure the risks of third-party service outages and consider an appropriate backup plan. That’s not Microsoft’s problem but yours, the IT professional – and it needs to be planned and rehearsed in advance.

That risk measurement will of course vary between industries, size of organizations and individual management teams. Some fledgling firms may decide to gamble their uptime but as customer needs and brands reputations grow, demands for continuity move closer to that of critical public services.

Flashback to WannaCry

Just over three years ago the WannaCry raced around the world, striking into the heart of Britain's health service. The attack forced affected hospitals to activate major incident plans, closing wards and emergency rooms, canceling routine appointments and diverting ambulances to neighboring unaffected hospitals. Doctors' practices and pharmacies reported similar problems.

Government estimates on the financial cost of the were placed in two broad categories: during the attack and the recovery period in the immediate aftermath. Firstly, it was estimated that there was approximately £19m of lost output - based on 1% of care disrupted over a one-week period. They then accounted for £73m in additional IT costs.

When WannaCry struck, the NHS still ran 4.7% of its machines on XP, despite Microsoft having ceased support for the software back in 2014. Now it’s Windows 7 that is outstaying its welcome and the new rollout of Microsoft 365 will now ensure IT systems that haven’t yet been upgraded to Windows 10, will be.

Own your own uptime

The lesson here is that every new service you rely on brings new risks of dependency. Microsoft Teams has already had a number of outages during the pandemic. Email infrastructure is inherently complex and cybercriminals consistently innovative. New weaknesses will be discovered and new mistakes made. Microsoft 365 security is improving but so are the advanced attacks we detect every day targeting the platform.

Earlier this month I wrote about the great cloud migration and the need for a prepared-for-anything mindset. This approach requires defense-in-depth security thinking, steadfast continuity systems and regularly updated (and tested) business continuity plans.

We need to accept that communication service downtime for the NHS could have a direct impact on the delivery of vital services to the community. Any organizations moving to Microsoft 365 security and productivity services, especially part of the Critical National Infrastructure, should still be on the hook for their own business continuity and resilience.

It’s not up to Microsoft to begin planning for the next event that affects our organizations. That’s on us.