Skip to content ↓ | Skip to navigation ↓

Two years after the WannaCry ransomware outbreak shone a light on the computer security of the UK’s National Health Service, and five years after Microsoft said it would no longer release patches for Windows XP, the NHS still has 2,300 PCs running the outdated operating system.

The worrying statistic came to light in the response to a parliamentary question asked by shadow minister Jo Platt MP.

Parliamentary question

The fact that 2,300 NHS computers are still running Windows XP is, obviously, not great news.

The NHS can ill-afford to suffer another attack like WannaCry, which an investigation found affected 34% of NHS trusts in England, causing 19,000 appointments to be cancelled, and significant costs related to IT support and data recovery.

Windows XP may not have contributed much to the NHS’s WannaCry woe, but it did underline the sorry state of the organisation’s IT infrastructure which had historically not received as much funding as it deserved.

With the ransomware outbreak dominating British headlines and living long in the public’s memories, the UK government was keen to be seen as taking action to support the NHS and protect patient data, and in April 2018 a £150 million plan was announced to upgrade all NHS systems to Windows 10 “over the next three years.”

Quite frankly, if it does take the NHS until April 2021 to migrate all of its PCs to a modern operating system it’s far from ideal, as Microsoft will have dropped support for Windows 7 long before in mid-January 2020.

In short, it sounds as if time is quickly running out.

I’m sure there’s not a single person who works at the NHS on IT security who feels that the situation is perfect, but the truth is that the resources have simply not been there to successfully eradicate XP entirely.

And rather than criticise the NHS for its failure to exterminate Windows XP, it’s worth understanding some of the reasons why the forlorn operating system has lingered for so long at British hospitals.

Firstly, it’s worth bearing in mind that the NHS has a very large number of computers – approximately 1.4 million. So, the percentage of computers running Windows XP is actually very small (around 0.16%) when compared to the total number of devices. In short, things are not ideal but they could be much much worse.

In addition, there are sometimes arguably legitimate reasons for running Windows XP. Imagine, for instance, that a particular medical department was using a legacy application that simply did not run properly under later versions of Windows.

Whereas in an office environment it may be hard to justify hanging on to tried-and-trusted applications that could be replaced with alternatives, things may not be so sensible when a bespoke program used in the treatment of patients is involved. It’s not simply a case of upgrading to newer PC hardware, or installing an operating system update, there may also need to be considerable investment made to get a new app written (and tested) that does work on modern versions of Windows.

In a similar fashion, consider the issue of medical hardware and equipment – some examples of which can cost millions of pounds. If there simply isn’t any other software available which can drive, say, critical medical imaging devices such as MRI and CT scanners then would you be wise to decide to scrap the expensive hardware just so you can run a more modern version of Windows on the computer?

After all, if a Windows XP computer is not connected to the internet, and provides few opportunities for a malware or a hacker to launch an attack against it, then should it be considered such a priority to replace it? Maybe it makes more sense for the NHS’s IT experts to protect vulnerable XP computers by separating them from the rest of the hospital network, denying any form of internet access, and closely controlling what – if any – third-party software can ever be run on them.

Yes, we would all love to see the NHS wipe out Windows XP. But I think that day may still be a long way away, and – truth be told, if handled carefully – that’s not necessarily as big a problem as some of the headlines make out.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.