Sign in / up

back to article 90 per cent of the UK's NHS is STILL relying on Windows XP

The NHS is still running Windows XP en masse, two and a half years after Microsoft stopped delivering bug fixes and security updates. Nearly all of England NHS trusts – 90 per cent – continue to rely on PCs installed with Microsoft’s 15-year-old desktop operating system. Just over half are still unsure as to when they will …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

Page:

  1. Pen-y-gors

    Extended support?

    Individual government departments and agencies were free to sign their own extended support agreements with Microsoft

    Did Citrix think to ask the trusts whether they had their own extended supporrt agreement? Or is this just a marketing ploy to flog Citrix' thin client services (or whatever they're called this week)

    Still pretty worrying. Another triumph for government IT.

    18 0 Reply
    1. Doctor Syntax Silver badge
      Reply Icon

      Re: Extended support?

      "Did Citrix think to ask the trusts whether they had their own extended support agreement?"

      Or whether they have exposure to the internet?

      There could be quite a number hooked up to expensive kit with XP-only applications for which there's no alternative. There's no chance of upgrading in such a situation and the best solution is to protect them.

      22 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Extended support?

        I worked at an NHS Trust that paid Microsoft in the region of £300k for the extended support for 6 months as they still had >3000 XP machines.

        About 5 months into the 6 month extension, they got hit by malware that was supposed to be trapped by one of the updates included in the extended support. The malware hit hundreds of XP machines and caused significant expenditure of resources to fix, restoring from backup etc.. When they investigated, Microsoft had sent them a username/password to logon to the extended support server for WSUS auto-updates. Guess what, the IT department hadn't bothered to read the email and so no updates for ~5 months and no-one had thought to check XP machines were receiving the updates.

        And people wonder why the NHS is in so much debt.

        38 0 Reply
        1. Halfmad
          Reply Icon

          Re: Extended support?

          "Guess what, the IT department hadn't bothered to read the email and so no updates for ~5 months and no-one had thought to check XP machines were receiving the updates."

          Was anyone sacked for this? I bet not and that's one of the biggest problems in the public sector, even when colossal mistakes are made, nobody, absolutely nobody takes the blame.

          2 1 Reply
          1. lorisarvendu
            Reply Icon

            Re: Extended support?

            "Was anyone sacked for this? I bet not and that's one of the biggest problems in the public sector, even when colossal mistakes are made, nobody, absolutely nobody takes the blame."

            The problem here is that you can't just sack members of your IT department because of a mistake like this, especially if each one of them has knowledge vital to the running of the IT Estate (as you will now find in most pared-down IT Departments).

            Plus if the whole dept was to blame, but you can't pin it down to one individual, do you go down the route of bumping it up the hierarchy until you find a sacrificial head? So the IT Director of the Trust takes the fall. What good does that do in ensuring the department pulls it's socks up and we don't get a repeat?

            Just saying "someone should be sacked" is a blinkered view, motivated by a short-sighted idea that terminating someone's employment is anything more than simple revenge.

            2 0 Reply
            1. Vic
              Reply Icon

              Re: Extended support?

              So the IT Director of the Trust takes the fall. What good does that do in ensuring the department pulls it's socks up and we don't get a repeat?

              Maybe - just maybe - the next IT Director might actually take some interest in directing the department?

              Directors claim large salaries because they "take the risks", they "have responsibility". This is what responsibility means - if you took the cash when things were going easy, you take the fall when they're going hard.

              Vic.

              0 0 Reply
        2. Mark Dempster
          Reply Icon

          Re: Extended support?

          >And people wonder why the NHS is in so much debt.

          It's in debt because people expect it to provide more treatment than it can do on the budget it's given by this Tory government. You know, the one that says it's given an extra £10bn, although noone can find more than £4bn in the accounts. And that is funded by a further £22bn of 'efficiency' - cuts, in other words. So the £10bn extra is actually £17.5bn less. And those cuts more than account for any so-called 'debt'.

          So it has very little to do with continuing to use XP. Which they can't afford to replace anyway.

          0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: just a marketing ploy

      Many of the IT-based FOI requests I see are blatantly marketing ploys. This is an obvious "we sell virtual desktop infrastructure, a handy way to migrate from XP"

      What this doesn't say is the percentage of XP machines in the desktop IT estate of these organisations. Is it a handful of PCs that are needed to run AncientImportantSoftv1.1f in one department that can't be migrated to Windows 7 or 10 or is it 70% of the PC estate? The answer will be different for each Trust but even I'd be surprised if any of them were 100% XP and not planning to migrate and I'm a cynical Bastard who's been around NHS IT for longer than I ever planned.

      5 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: just a marketing ploy

        As someone who handles FOIs for my NHS Trust/Board/CCG (you decide) I can honestly say most journalists ask the wrong questions and don't challenge (as for a review) often enough when they don't get the information they were clearly after.

        4 0 Reply
        1. Anonymous Coward
          Reply Icon
          IT Angle

          Re: just a marketing ploy

          > I can honestly say most journalists ask the wrong questions

          Any examples of a 'right' question that El Reg ought to be asking, by any chance?

          3 0 Reply
          1. Sam Haine
            Reply Icon

            Start asking the right questions (was: just a marketing ploy)

            How much an NHS Trust spends on permanent IT staff salaries (broken down by job title) and how much it spends on contractors would be a good start.

            0 0 Reply
            1. lorisarvendu
              Reply Icon

              Re: Start asking the right questions (was: just a marketing ploy)

              "What percentage of Trusts are still using XP machines?" is not the same question as "How many XP machines do each Trust still have?".

              The answer to the first question could well be "90%", but the answer to the second one could be "one or two per Trust." Big difference.

              The devil's in the details.

              0 0 Reply
      2. Daniel von Asmuth
        Reply Icon
        Windows

        Never change a winning team

        If they have overcome all the problems and drawbacks of XP for over a decade, why change now? After all those negative reports we heard about Vista, 8 and 10? Why did they choose (Win)DOS in the first place?

        3 0 Reply
      3. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: just a marketing ploy

        "This is an obvious "we sell virtual desktop infrastructure, a handy way to migrate from XP"

        Probably, but it doesn't mean they're wrong. There's little need to have numerous copies of a full blown desktop OS dotted around various wards and departments when all the data is centralised anyway. Far better to have a thin client with a few centralised servers that can be properly protected. The staff working in the hospital can't be blamed for not sorting out the IT, they're too busy doing other stuff, like oh I dunno, saving peoples lives maybe. The desktop machines should just be plug and play with little to no scope for any possible malware injection.

        4 0 Reply
    3. leexgx
      Reply Icon

      Re: Extended support?

      just change the system into POS mode on XP and you still get security updates (not that they update the hospital systems any way as probably to scared it brake the windows 95 old software that is running on XP)

      1 3 Reply
    4. Nick Ryan Silver badge
      Reply Icon

      Re: Extended support?

      The last I saw when I was looking at many of these XP systems that litter the NHS was that they typically were left running XP because vital but stunningly incompetently written software was in place that required ActiveX components and appalling versions of Internet Explorer.

      This was one of the key reasons for them to still be in place. On some occasions the original vendor no longer existed, frequently a tiny organisation that disappeared due to the appalling way in which the NHS trusts often treated their small suppliers, or often where an updated version was available but the department couldnt sufficiently justify the upgrade costs of a system that other than running on a dead OS still did the job it was brought in place to do.

      Most departments have such a tiny budget left over after the huge staff costs (massive layers of management and consultants) are taken into account that they can barely afford to buy the consumables they need and more important medical equipment that replacing an otherwise working system just doesnt happen. it's further complicated because many pieces of software are cross department that it needs all departments to upgrade which adds to the impossibility.

      On the positive front it did appear that NHS trust IT depsrtments were getting smarter when iit came to new systems but this doesnt help the old software - it wasn't as if the IT departments didnt want to upgrade our see the value in it, they just can't...

      3 1 Reply
  2. Anonymous South African Coward Bronze badge

    Yay for govt IT...

    Maybe they should consider going over to Linux?

    Oh wait...

    7 1 Reply
    1. Adair Silver badge
      Reply Icon

      The Linux option...

      Probably a good idea, but one that would require actual planning and organisation.

      'NHS-Linux' - their own spin, continually developed, tested, distributed, and under their control. How it might have been done, and done well, but it wasn't.

      17 1 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      We've looked into it, without it being pushed from a central location (government) it's impossible due to national clinical systems being heavily reliant on MS Windows. Yes we could run those in VMs or RDP but our local systems have to link into them and that invariable means a local client. Whilst more systems move to web or portals it'll be easier but right now it's not technically feasible even if we ignore the retraining cost/time for frankly most staff, few will have ever touched Linux and regardless of how similar they appear there would be a lot of hand holding required.

      I remember when we moved from Office 2003 to 2007, that completely foxed many staff and it was a relatively small change.

      7 0 Reply
      1. Neil Lewis
        Reply Icon

        The statement "most staff, few will have ever touched Linux" is quite simply untrue. Fact is, the vast majority will use Linux every day without realising it, by accessing web sites or by using an Android device.

        That staff can be foxed by transitioning from Office 2003 to 2007 is an indication of the poor training/lack of training frequently seen in office environments. There's a tendency towards a 'click here to do this' mentality inherent in vendor specific training which leads to users being unable to function if an icon or button is moved.

        The problem is neither the OS nor the applications, but an almost criminally unprofessional lack of understanding of the tools. It's as ridiculous as if a plumber claimed they could only work with one particular brand of spanners 'because brand Y looks different'.

        14 2 Reply
        1. JamesPond
          Reply Icon

          "Fact is, the vast majority will use Linux every day without realising it, by accessing web sites or by using an Android device."

          So you are saying because a secretary or clinician who's used Internet Explorer or their Samsung phone to view a website can therefore boot a Linux PC, logon and run a wordprocessor or spreadsheet application without any training? That's like saying because I've driven a car on the road I can jump into a F1 car and drive it, after all they both have 4 wheels, a steering wheel and and engine, must be the same.

          3 5 Reply
    3. Daniel von Asmuth
      Reply Icon
      Linux

      Maybe they should consider going over to Linux?

      Why didn't they use Linux in the first place? XP received updates for fourteen years or so. Which Linux distributions and kernel versions have been supported for even seven years?

      3 12 Reply
      1. Adair Silver badge
        Reply Icon

        Re: Maybe they should consider going over to Linux?

        @Daniel von Asmuth

        Linux is not Windows - I think you misunderstand how it works.

        For a start: Slackware, Debian, Red Hat all started in1993 (23 years). The thing is, if you are serious about running a serious long term computing platform across a massive and diverse institutional environment, you are serious about taking the source, and setting it up for your own use, and maintaining it.

        If the NHS had sat down, formed an OS development team, taken a base Linux distro, and gone on to build their own bespoke system on top of it they could by now be sitting on a highly developed, relatively very secure and stable OS that they would be in control of and that would offer a common platform for the whole NHS to work with.

        Unfortunately that kind of foresight and organisation was not deployed, so we are where we are.

        18 3 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Maybe they should consider going over to Linux?

          The reason that can't have happened is that there is no NHS due to the ridiculous internal market nonsense forced onto us by the shop keepers daughter. Just a load of separate organizations who are allowed to use the logo.

          9 1 Reply
        2. Kubla Cant
          Reply Icon

          Re: Maybe they should consider going over to Linux?

          If the NHS had sat down, formed an OS development team, taken a base Linux distro, and gone on to build their own bespoke system on top of it they could by now be sitting on a highly developed, relatively very secure and stable OS that they would be in control of and that would offer a common platform for the whole NHS to work with.

          Sounds good.

          But back in the real world, they'd outsource the development to Monster IT Inc, extend the scope to refactoring the world, and end up with a bill of £100bn for a "free" operating system. By the time it was delivered (if it ever was), everyone would have installed XP.

          6 0 Reply
          1. Adair Silver badge
            Reply Icon

            Re: Maybe they should consider going over to Linux?

            @Kubla Cant

            That's only one of many possibilities compatible with <REAL_WORLD>, and not so very different to the one that has actually occurred.

            2 1 Reply
        3. AndrewDu
          Reply Icon

          Re: Maybe they should consider going over to Linux?

          " a highly developed, relatively very secure and stable OS"

          Hmm, well, maybe so.

          But it would frighten the pants off any new start staff who would then need a lot of training and hand-holding before they could do even the simplest thing. Whereas anybody off the street kinda knows how to work Windows - which is what they think "computers" are, anyway.

          Before you sneer, go check out a few of your own users, and imagine the panics.

          2 2 Reply
      2. itzman
        Reply Icon

        Re: Maybe they should consider going over to Linux?

        Its pure inertia.

        Medical software is specoialised, and if it happens to be written for XP, thats what you use, and then if the next hardware vendor comes along and sees an installed base of XP. that's what he's going to write for, as well.

        I asked this question about a relatives dental practice. Basically 'you want a x-ray machine, it runs Vista/XP'. End of.

        Few people outside of major corporates have the financial power to get software written for them: The rest have to buy what's on offer, and not much is on offer for Linux.

        5 2 Reply
        1. Adair Silver badge
          Reply Icon

          Re: Maybe they should consider going over to Linux?

          @itzman

          Just a point of economic reality. if an institution as large as the NHS, with a commensurate budget, chose to use OS 'Z', there would be no shortage of vendors only too willing to write drivers, etc. for their equipment to run on OS 'Z'.

          It's all about the money, these people are not in the game for the good of their health, or anybody else's for that matter. And even the few that are focussed on putting human wellbeing ahead of profit, would still happily supply OS 'Z' compatible equipment for an institution the size of the NHS.

          5 1 Reply
          1. timul20
            Reply Icon

            Re: Maybe they should consider going over to Linux?

            You say:

            "if an institution as large as the NHS, with a commensurate budget, chose to use OS 'Z', there would be no shortage of vendors only too willing to write drivers, etc. for their equipment to run on OS 'Z'."

            but actually the NHS is not an institution, it is an affiliated group of Trusts, GPs practices, Commissioning Units etc etc, all with their own, often quite paltry, budgets and income streams, often running on their own WANS and running their own organisation specific applications. It's just not as simple as it looks from the outside.

            As other commenters have implied, most NHS organisations that I know of have in fact upgraded most of their desktop estate to Win7 now. The problem is generally with "Analyzers", pieces of healthcare equipment; blood tracking devices, pharmacology equipment, CRT scanners for example, running ancient applications that would nevertheless be breathtakingly expensive to replace with something a bit more up to date.

            This story is, to some extent a case of mountains and molehills

            0 0 Reply
            1. Adair Silver badge
              Reply Icon

              Re: Maybe they should consider going over to Linux?

              @timul20 - But that is really my point: the NHS has always been shambling bureaucratic 'Frankenstein's monster'; a cobbled together collection of institutions and services all operating under the politically useful collective known as 'NHS'.

              The dependence on bought in services, without any overall long term planning or structure, is symptomatic of that approach.Down the line, we are all reaping the consequences.

              Hindsight is a wonderful thing, of course, but so also would be politicians who know when to engage, enable, and sustain people who genuinely have a clue. But in the 'real world' that hardly ever happens.

              0 0 Reply
        2. John Sanders
          Reply Icon
          Windows

          Re: Maybe they should consider going over to Linux?

          """Few people outside of major corporates have the financial power to get software written for them: The rest have to buy what's on offer, and not much is on offer for Linux."""

          That may have been the case 20 years ago, not today, so no reason to keep falling into the same trap.

          0 2 Reply
        3. Andy 97
          Reply Icon

          Re: Maybe they should consider going over to Linux?

          Customer is king.

          Someone wants to spend many millions on my software and requires it to run on (let's say) an obscure BSD variant, I'd make that happen.

          If I didn't, someone else would and that would be money on their balance sheet and not mine.

          0 0 Reply
      3. Hans 1
        Reply Icon
        Linux

        Re: Maybe they should consider going over to Linux?

        >XP received updates for fourteen years or so.

        Maybe, well, actually, only because Vista was such a mess, but how about Vista, 7, 8 (LOL), 8.1 ?

        As for Linux, when you upgrade Linux, a totally new UI is not thrown at you and you can choose your ui freely, meaning hardly any training costs, if any, when you upgrade.

        Long time support in Linux is 5 years, but again, you do not get the same hassle you get with Windows upgrades, where half the printers in the office (for example) are no longer supported after the upgrade ....

        2 1 Reply
        1. Mark Dempster
          Reply Icon

          Re: Maybe they should consider going over to Linux?

          >Long time support in Linux is 5 years, but again, you do not get the same hassle you get with Windows upgrades, where half the printers in the office (for example) are no longer supported after the upgrade ....<

          Probably becasue half the printers in the office never have a linux driver unless you're prepared to write your own,anyway

          0 1 Reply
      4. lorisarvendu
        Reply Icon
        Trollface

        Re: Maybe they should consider going over to Linux?

        Hmmm...which distro would you go with?

        Would it be...Linux Mint by any chance?

        1 0 Reply
  3. Voland's right hand Silver badge

    Yummy ransomware target

    That is one gigantic ransomware target set.

    4 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Yummy ransomware target

      When you say "ransomware", are you referring to malicious software attacking a vulnerable OS, or are you referring to the price that MS is charging to maintain support?

      38 2 Reply
      1. Herby
        Reply Icon

        Re: Yummy ransomware target

        "When you say "ransomware", are you referring to malicious software attacking a vulnerable OS, or are you referring to the price that MS is charging to maintain support?"

        YES

        4 0 Reply
    2. Toastan Buttar
      Reply Icon

      Re: Yummy ransomware target

      How very, very true! :)

      0 0 Reply

  4. This post has been deleted by its author

    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Migration to Office 365 and Cloud Services etc

      Microsoft "One Drive", Google drive, iCloud, Yahoo, Box and all online storage is blocked from NHS PCs.

      If anyone thinks they are using them, things will change.

      Yes, you are correct. This is because of what we call "information Governance" but Confidentiality rules will do. All those services have a lot to do with the USA. Their ideas on confidentiality are different from ours. This prevents US big business using their spooks to get information about us and lots more.

      13 1 Reply
      1. Halfmad
        Reply Icon

        Re: Migration to Office 365 and Cloud Services etc

        icloud - in use

        dropbox - in use

        one drive - in use

        It's not all blocked/banned. I'm guessing you see a snapshot of local use. I know of instances where these are being used and can be used with proper controls in place. Ideal? Absolutely not but if the information going onto them is of sufficiently meaningless level then the risk is massively reduced.

        Not saying I personally approve of their use but I do know it's happening.

        0 0 Reply
    2. Sir Sham Cad
      Reply Icon

      Re: Migration to Office 365 and Cloud Services etc

      Quick answer is "yes, but". All cloud services for NHS and wider .gov.uk use are required to adhere to tighter information governance certifications and standards than would necessarily be the case for a private company or user. In many respects this is more secure than can be reasonably achieved by a local NHS Trust due to budgets, expertise etc...

      New rules regarding ISO certification for NHS email solutions, for example, mean getting internal solutions up to standard and certified or some other option of which Office365 is a possibility.

      Please note that UK Data Centres Only is a requirement. No data leaves the UK. Encryption in transit and at rest is minimum mandatory.

      4 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Migration to Office 365 and Cloud Services etc

        If only data was limited to the UK! Anything owned by NHS England is limited to England. Where I used to work I was looking at building a service where the NHS was a potential customer. Our data centers were in Wales, so we found that they were considered unsuitable.

        Must be the threats from all those sheep.

        1 1 Reply
        1. Halfmad
          Reply Icon

          Re: Migration to Office 365 and Cloud Services etc

          Someone isn't interpreting the DPA correctly, NHS England can have datacenters anywhere in the UK, not just England and can also have them within the EU if the risk is accepted by the trust/CCG etc.

          Hell if the risk is accepted they can have them ANYWHERE in the world, it's just that when someone went wrong, and it would they'd be up to their necks in it.

          I'm guessing whoever thought it was unacceptable in Wales either was assuming Wales would go independent in the next few years or there was a technical consideration such as rural broadband around the data center etc.

          1 0 Reply
  5. David Lawton

    Running Windows is very expensive.

    12 8 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Running all IT systems of this scale is expensive.

      26 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Don't worry, it'll be privatised soon so money will be no object.

        2 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    I wonder how many of the "stuck" machines rely on software and/or drivers that don't exist in Windows Vista or can't be migrated inexpensively (to the point that ransom costs are less than that of a new machine).

    9 0 Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like