CfH gives go-ahead for IE7

Tags: CfH Infrastructure

22 Jan 2010

NHS Connecting for Health has said organisations still using Microsoft Internet Explorer 6 should move to IE7, following security concerns about the older browser.

The Department of Health signed a national licensing deal with Microsoft in October 2001 that lead to the majority of NHS trusts using IE 6 for internet and intranet access.

In 2006, CfH instructed trusts not to download copies of the latest versions of IE until it could confirm that the software worked with national applications delivered by the programme and its prime contractors.

However, last week Microsoft admitted that a security hole in IE6 had led to attacks against Google and other hackers in China.

This prompted both the French and German governments to warn internet users not to use the browser and to find an alternative, such as Mozilla Firefox or Google Chrome.

The UK government has been slow to react to the warnings. But yesterday the Cabinet Office issued a statement that said: “Government departments have been issued an alert on how to deal with this particular incident and to mitigate against vulnerabilities in relation to particular versions of IE.”

Following this, CfH issued guidance telling trusts to use the Microsoft website or their system management or patch management software to obtain an update to resolve the vulnerability.

The guidance states: “It is recommended that this update is applied to all affected computers within an organisation. Organisations should ensure that appropriate levels of testing of the update take place prior to mass deployment.”

It adds: “It is additionally further recommended that organisations still using Internet Explorer 6 on the affected platforms upgrade to Internet Explorer 7.

“Internet Explorer 7 has been warranted to work correctly with Spine applications such as the Clinical Spine Application and provides additional security features over Internet Explorer 6.”

Earlier this week, Microsoft said that Internet Explorer is still the most secure browser on the market.

Cliff Evans, Microsoft’s head of security and privacy, said that for web users to be affected they would have to be using IE6 on particular platforms and to visit a compromised website, of which there are apparently “very few.”

CfH is advising trusts to contact the Department of Health Informatics Directorate Infrastructure Security Team or to contact Microsoft or their vendor if they experience further problems.

Microsoft's enterprise wide agreement with the NHS has been re-signed since 2001 and is due to be renewed again later this year.

Link: Update obtainable from Microsoft TechNet.

More information on Internet Explorer from Microsoft.com.

Sarah Bruce

Trusts told not to download latest Internet Explorer (06 Nov 2006) (3)
Microsoft asks NHS what next for its EwA (08 Sep 2009)

Reader's Comments

Only four years out of date now

22 Jan 10 08:01

IE7 - circa October 2006? Brilliant :-(

This should be a non-issue.

Organisations like Amazon, BBC, Expedia, YouTube, EHI etc can build rich interactive web sites which work with any standards compliant browser and mainstream host operating system.

This isn't 'Microsoft bashing' just sound design.

If the philosophy is there (i.e. don't build to browser specific quirks and minimise client-side gimmickry) this adds >nothing< to the design and build stages. Testing is obviously extended but doesn't need to run to more than a few browsers.

They're going to have to do better than this if myHealthSpace is ever going to take off.

Oh really

22 Jan 10 10:01

If we are not moving to IE7 it is not because we haven't heard of it. In some cases this can involve rewriting some pretty complex clinical applications that have used components such as Active-X in the past. It's not client side gimmickry unless all you play with in your browser are websites with dynamic introductions etc.

Maybe CfH should have a look at some of the things they have introduced like PACS? Other applications such as ESR are also currently not ratified for IE7 I think?

poor Mr Gates

22 Jan 10 11:01

i'll bet he was up at night fretting over whether CFH would allow IE7 to be used in the English NHS

Concerned about security?

22 Jan 10 13:01

This would be the same ‘concerned about security’ Connecting for Health that force us to change IE security settings to run unsigned Active X controls, save encrypted files to disk and turn off pop-up blockers so that LSP and NASP applications will actually work.

Imagine that Mr Gates is fretting far more about the forthcoming EWA renewal and our £600M savings requirement.

Re. Oh really

22 Jan 10 13:01

And it's not as though CfH's own online documentation repository (FileCM) ONLY works on IE6! IE7 and 8 are not supported.

Still behind the times, though

25 Jan 10 14:01

IE 8 is the curerent version, so v7 is just a bit less obsolete!

One must ask why all thes apps were written for IE and not using W3C standards.

Perhaps because the vulnerabilities made it easy for programmers to achieve their ends without too much thinking?

Or because the suckers fell for the microsoft buy-in, using developer kits with built-in obsolescence?

Perhaps for apps that run over N3 with NWW addresses, the security worries aren't so great, but for general web browsing the NHS should be recommending other browsers - eg Firefox - to protect local networks and data.

And most of all, any re-coding MUST be to web standards rather than microsoft proprietary ones or it'll just have to be done again in another few years!

IE should not be used

ben.toth@gmail.com

26 Jan 10 16:01

Given its endless security problems and the poor record of fixing them, IE is not good enough for the NHS. And the people who let suppliers write software which only works in one browser should be kept away from writing specifications. http://mashable.com/2010/01/26/security-flaws-internet-explorer/

Dumb going to IE7 at this point

mnd999@hotmail.com

26 Jan 10 23:01

It's pretty dumb going to all the effort of migrating from one obsolete version to another. It makes much more sense to skip 7 and go straight to 8. No point doing all the retesting twice after all.

Nice

27 Jan 10 11:01

It must be nice to sit in 2010 commenting on what people did 10 years ago knowing that if you were doing it now you'd have done it differently. The fact is that if you wanted to introduce any kind of rich functionality years ago you had to use proprietary tools. Even now with more open environments like Java you will have clients that cannot access the systems.

It has always been the same in IT that once you get beyond the basic functionality you need to get into the proprietary. Look at code for SQL server and then try to port it straight to Oracle. There is ANSII SQL in there somewhere right? If you don't know or appreciate these things then you don't know much about your subject. If you think a move of web apps onto IE7 or 8 is trivial then you don't know much about your subject either!

re: Nice

27 Jan 10 13:01

I think we see here one manifestation of incompatible visions for NPfIT

1. an LSP managed "locked down" common desktop across a cluster with a single application which "does it all" playing in a secure N3 network sandpit

2. a variety of semi- or non-integrated clinical applications co-existing on machines maintained by many 'traditional' NHS IT departments which are also used for unrestricted web surfing, personal e-mail etc.

Like most things NPfIT, not only can't we have our cake and eat it - the cake never showed up in the first place.

In 2010 why the fuss

28 Jan 10 15:01

This isn't 1993 - 1998 or even 2004...

it is 2010 and any serious thin client application that requires a browser to operate should be compatible with the offerings of all major browser vendors - if not - why not?

Regardless of ANY past or future grandstanding deals done with vendors, the focus for development should be on flexibility through standards not on version compatibility from one vendor. If the wait for IE8/7 or whatever means that this will be achieved (meaning that Chrome, Firefox and Safari - as examples - also work) that might be seen as progress.

Surely we shouldn't just be berating non-functionality in the latest browser from one vendor.

Post edited by EHI.

Build IT right and IT will work...

29 Jan 10 10:01

IE6 was a poor platform for interactive applications and shouldn't have been used, even in 2001.

IE7 has been in decline for a year so jumping from the long tail of one browser into another is poor foresight, planning and architectural design. If applications need rich functionality, do it right and use a framework and architectural design that supports modern browsers, i.e. IE8, Safari, Opera, Firefox or Chrome.

Rewriting these applications and tying them to IE7 or prorietary features in IE8 will put everybody in exactly the same situation in the future. We should learn from these obvious mistakes and ensure the development teams are skilled properly.

If your web application doesn't work in the latest versions of Safari, Chrome, Opera and Firefox -- you've built it wrong, it really is that simple.

German government have not made any bones about their concerns

29 Jan 10 11:01

http://preview.tinyurl.com/germansrejectie

This Telegraph article from last week describes how the German govt are actively discouraging their citzens to stop using IE after major security flaws in IE led to major breaches in China.

Given MS interest in Health and the announcement that Siemens (a long standing partner of Microsoft) have signed up for Healthvault - shouls we be concerned?

The browser is oft regarded as the simple piece in the puzzle - however these are sophisticated software applications that should be judged on merit not on market dominance through restrictive practices.