Has the NHS found a cure for worms?

Improved patch management should eradicate malware from UK hospitals once and for all, writes Martin Courtney

The West Middlesex Hospital NHS Trust was hit by the Conficker worm in February. Flickr: Jim Linwood

The NHS has ex­panded the scope of its long-running contract with Novell to include advanced patch and software asset management functions to guard against malware such as the Conficker worm, which struck another UK hospital in February.

This latest deal, which extends an existing £6m agreement between the NHS and Novell going back to 2005, will see various additional NHS trusts deploy Novell Open Enterprise Server 2, Storage Manager and Access Manager; ZENworks Configuration Management for remote user management, updates and fixes; and GroupWise Teaming and Conferencing for departmental communication purposes.

Mark Ferrar, NHS strategy director, said the prime motivation for the extension was patch and software asset management, however.

“The patch management stuff was the key component we needed more of, which was missing from the original deal,” he said. “We need to understand and gather information on our asset inventory, and deploy patches and fixes in an appropriate way.”

The NHS has consistently battled to contain the Conficker worm since it first appeared in 2008, and hopes that better patch management will mean any remaining system vulnerabilities will be eradicated. The most recent outbreak occurred last month at the West Middlesex Hospital NHS Trust. Other trusts affected by Conficker this year include Mid Cheshire and Leeds.

Better software asset management will also help the NHS avoid unexpected bills, arguments with software vendors and unnecessary spending on software licensing. ZENworks provides Trusts with a view across their entire desktop estate, highlighting potential problems and licensing issues.

“We can see certain trends and patterns emerging, such as asset and inventory management, which have a big impact on desktop operational costs,” said Ferrar.

A report published by research company Forrester in January advised organisations that software publishers are placing increased emphasis on licence compliance audits to ensure they get “every dollar of revenue to which they are entitled”, and warned that no IT manager can afford to be complacent.

Forrester highlights several common causes of software audit compliance problems. These include virtualisaton, multiplexing (where one application is integrated into another), external application use by customers, partners or sales agents, and inactive user accounts.

“The better vendors are like those traffic police that prevent speeding by being highly visible – they focus on encouraging and supporting good software asset management. For example, Microsoft and Adobe subsidise resellers to advise customers on software asset management best practices,” stated Forrester analyst Duncan Jones in a research note. “But others seem to be like the revenue-generating cops who hide with their radar guns in bushes.”

Novell is just one of many vendors offering patch management tools that can help stave off the attention of vendor compliance teams. Others include IBM and Symantec, while vendors such as VMware and Shavlik Technologies also offer patch management software that monitors virtual, as well as physical, machines.

Apart from patch and software asset management, the NHS has a number of other related IT upgrade priorities to address, most notably identity access management.

“The average [NHS] user will have a lot of different usernames and passwords for different systems, so trusted managed identities is another big push for us, as is managing desktop images,” Ferrar said. “We set our own priorities against what needs to be improved – a particular Trust may be good on desktops, but not so good on servers and applications, for example – the further up the [NHS’ five-level maturity] model it gets, the more delivery is improved.”