Despite warnings from the Government to the NHS about the vulnerabilities of old software, a freedom of information (FOI) request has revealed that over 60% of NHS Trusts are still using some form Windows XP.
Digital Health Age issued a freedom of information request to 144 NHS Trusts asking how many endpoints within the Trusts were still using Windows XP and how many were in the process of being upgraded to a more up-to-date operating system (OS).
In total, the FOI request went out to 192 Trusts. However, 48 Trusts refused to release information pertaining to endpoints, stating that doing so could compromise their IT systems.
Digital Health Age discovered that 88 Trusts are still using Windows XP devices within their organisations. In certain cases, Trusts were planning to upgrade the systems, but others due to legacy issues couldn’t upgrade devices to a more secure OS. In other cases, Windows XP was attached to medical equipment which couldn’t be upgraded. To reduce any security risks, Trusts such as St Helens and Knowsley Teaching Hospitals and University Hospitals of North Midlands NHS Trusts have segregated devices from their main IT network.
This year the NHS was hit by the WannaCry cyber-attack which globally affected over 300,000 computers. The organisation was the worst hit in the UK and had to cancel appointments after devices were affected by the ransomware.
After the WannaCry attack there was speculation over the use of Windows XP by the NHS. Former UK defence secretary Michael Fallon responded, claiming that less than 5% of NHS Trusts were still using Windows XP machines. However, his claims were questioned as a FOI request by Citrix showed that 42 NHS Trusts were still using Windows XP machines.
In response to the attack and to the use of Windows XP, NHS Digital said: “We are aware of widespread speculation about the use of Microsoft Windows XP by NHS organisations, who commission IT systems locally depending on population need. While the vast majority are running contemporary systems, we can confirm that the number of devices within the NHS that reportedly use XP has fallen to 4.7%, with this figure continuing to decrease. This may be because some expensive hardware (such as MRI scanners) cannot be updated immediately, and in such instances organisations will take steps to mitigate any risk, such as by isolating the device from the main network.”
This FOI request appears to support NHS Digital’s claims that the use of Windows XP within the NHS is continuing to decrease. Of the 88 Trusts that confirmed they used Windows XP, 39 are in the process of upgrading to a more secure OS. Whilst some Trusts aimed to upgrade to Windows 10, Windows 7 was the most favoured OS which Trusts planned to use.
The upgrade process to a more modern OS has been taken seriously by most Trusts. For instance, Central & North West London NHS Foundation Trust stated it was undergoing a “major IT transformation programme”. The Trust has approximately 300 endpoints using XP with 700 already upgraded to an up-to-date OS. More so, Dartford & Gravesham NHS Trust has 40 devices still using Windows XP and since August 2016 has upgraded 350 PCs to Windows 7.
In 2014, Trusts were warned to move away from old software by the Department of Health and the Cabinet Office. Despite warnings to migrate away from old software such as Windows XP by April 2015, the Department of Health had no formal way to assess whether Trusts had complied with the guidance or if they were prepared for a cyber-attack.
Microsoft ended its support of Windows XP in April 2014, stopping security updates and technical support for the operating system and warning users to move to a more modern OS. Windows 7 still has extended support by Microsoft which is due to end in 2020. Arguably, NHS Trusts that are upgrading to Windows 7 could face similar cyber-security issues when support for the OS ends in a couple of years’ time.
DHA reached out to NHS Digital for comment on the story. NHS Digital stated: “The number of devices (which could be a PC or specialist medical equipment) within the NHS that reportedly use XP is continuing to decrease and we support the recommendation to remove XP. Some expensive hardware (such as MRI scanners) cannot be updated immediately, and in such instances we advise organisations to take steps to mitigate any risk, such as by isolating the device from the main network.
The Government response to the National Data Guardian’s review referred to “working in partnership with Microsoft to help mitigate the immediate risks associated with unsupported software”. Part of this work has now culminated in a custom support agreement between NHS Digital and Microsoft.
One of NHS Digital’s key roles is to work closely with other national partners to explore and provide additional layers of cyber security support to NHS organisations when they need it, with the aim of minimising disruption to NHS services and patients. Under the agreement, all NHS organisations are covered by the custom support agreement, which provides patches and updates for all existing Windows devices operating with Windows XP, Windows Server 2003 and SQL 2005.”