zephyr_p - stock.adobe.com

NHS still has thousands of PCs running Windows XP

NHS computers are still being upgraded three years after the WannaCry ransomware attack to the health system, raising concerns over cyber security

The National Health Service still has thousands of computers running Windows XP operating system (OS), five years after Microsoft stopped providing support for it.

Responding to a written parliamentary question from shadow Cabinet Office minister Jo Platt, the government revealed that 2,300 NHS machines are currently running on XP.

While stressing that the number of computers that still operate the system represent only 0.16% of the NHS estate of 1.4 million devices, minister for mental health, inequalities, and suicide prevention, Jackie Doyle-Price, said this is being addressed.

“We are supporting NHS organisations to upgrade their existing Microsoft Windows operating systems, allowing them to reduce potential vulnerabilities and increase cyber resilience,” she said.

According to Platt, the fact that this is still happening three years after the WannaCry attack to the NHS is “an indictment of this government’s cyber security record”.

“The government is seriously lacking the leadership, strategy and co-ordination we need across the public sector to keep us and our data safe and secure,” she added. “How many more warnings will it take before they listen and take action?”

The large-scale ransomware attack to the NHS in 2017 caused a range of problems such as hospitals across England diverting emergency patients, as well as difficulties in clinical and patient systems.

The immediate cost of the WannaCry attack to the health system is estimated at £92m, with around £275m in cyber security infrastructure improvements to be spent by 2021.

A National Audit Office (NAO) report stated that the incident could have been prevented had the NHS followed basic IT security best practice, while another review highlighted the need for cyber security accountability and skills in the health service. 

Continued use of XP has been listed as a key factor enabling the NHS ransomware attack. Whitehall technology chiefs decided to end the volume support deal for the popular OS in 2015, but there are other reasons as to why the health system was particularly vulnerable to the attack.

At the time, the Government Digital Service (GDS) left it to NHS trusts to make their own arrangements for XP support if they were required. At the time, even the NHS couldn’t force trusts to do upgrade.

As a result, accountability for IT standards, security included, varies widely across the heavily federated NHS organisation.

Read more about NHS IT

Read more on Healthcare and NHS IT