Whitehall and Microsoft negotiate NHS Windows XP hacker survival plan
Protection at a price to GB taxpayer
Exclusive Whitehall is negotiating a deal with Microsoft to prevent thousands of NHS computers from falling victim to hackers targeting Windows XP from April.
The government and Microsoft are in talks to offer extended security support to NHS PCs running Windows XP that miss an 8 April deadline to ditch the OS.
The Department of Health has exclusively told The Register it’s in talks with Microsoft to develop a migration plan to move PCs off of Windows XP.
A major plank of that deal will see Microsoft offer what the DoH terms “extended support”* – at a cost.
Extended support is not a cheap option and means the taxpayer will foot the bill for the NHS’s failure to hit the April deadline to move.
Under extended support Microsoft will deploy dedicated engineers to paying customers, who keep releasing fresh security patches after the April cut off.
Fees for this special protection start at $200 per desktop for the first year, going up to $400 in the second and $800 in the third year.
Only 1 million PCs to worry about... and that's JUST the NHS
The NHS in England alone has 1.086 million PCs and laptops running Windows XP at trusts, GPs and other health groups. The National Health Service in Scotland will be contending with 3,603.
A high price has been fixed deliberately by the software giant as an incentive for customers not to dawdle in finally getting off of Windows XP.
Extended support has only been made available by Microsoft to its largest customers who ask for it, who expect to be running Windows XP after 8 April.
Negotiations between the government and Redmond over the migration and extended support package and should conclude “shortly” we were told.
Pressed by The Register following our investigation into the state of Windows XP migrations across the public sector, the Department told us: “We are discussing plans with Microsoft for putting in place a migration plan and extended support for the NHS."
As for the cost, the DoH did not say how much it expected to pay Microsoft.
Instead, a department spokesperson told The Register: “As well as mitigating against the potential risks of unsupported Windows XP, we hope this will save a lot of money for the NHS alongside the benefits of more modern operating systems.”
Mark Corley, chief technology officer with Microsoft systems integrator Avanade UK that’s in the middle of a number of large Windows XP migrations for clients, told The Reg the cost of extended support have been factored by customers into the overall cost of projects Avanade is working on.
Extended support for one year has been calculated to be cheaper than the price of not getting cover.
“I have spoken with two of our teams currently in the middle of large XP upgrades. Both have agreed an amount for extended support,” Corley said.
“It seems that, as with most prices, there was a level of negotiation. This included bundled purchase of additional software and services and a commitment around timescales to be off XP.”
Adrian Foxall, chief executive of Camwood, said the NHS rescue package only made financial sense if there’s a plan for all NHS systems to be off Windows XP within a year.
Camwood is working with private-sector clients in their move off Windows XP and said most of its customers had set one-year deadlines to contain what they pay on extended support.
“As long as there’s a plan in place, then one year of custom support is a good idea,” Foxall said. “You don’t want to do this if the migration will slip because that’s a massive investment at the end of the day.”
Microsoft will stop releasing security updates for Windows XP on 8 April.
That means there will be no more software updates and patches from Microsoft for new security vulnerabilities or holes discovered in Windows XP after that date.
Does anyone hear a whooshing sound?
The Reg found that PCs at hospitals, GPs and trusts across Great Britain will miss the early April deadline and therefore be wide open to attack.
That means sensitive patient data and the secure login credentials of millions of NHS staff will be sitting ducks for those writing malware designed to steal data.
The PCs themselves as well as NHS computer networks will also be vulnerable to virus writes and those intent on simply infecting and disabling Windows XP PCs.
NHS England and the Cabinet Office, in charge of a number of other government IT initiatives, had both tried to claim the situation was under control.
NHS England assured us local organisations are “aware of the need to migrate from Windows XP in advance of the April 2014 de-support date” and they are “in the process of upgrading.” It also claimed Central Government has contacted all organisations regularly to emphasise the importance of upgrading their software in advance of April 2014.
However, NHS England was unable to say who, when, or how central government had been in touch.
The Cabinet Office, the civil-service department inside No 10 taking the lead on UK cyber security and the government’s digital policy, told The Reg a Windows XP migration plan is in place but it refused to reveal details, citing "security".
A Cabinet Office spokesperson told The Reg: “Cabinet Office has a plan in place and is working with departmental Technology Leaders on their specific actions so we are prepared for April. Because we take our systems' security very seriously, we will continue to coordinate cross-Government measures.”
The Cabinet Office referred us to CESG guidance on Windows XP. But CESG offers only advice and guidance – it does not enforce or direct policy. In a nutshell, the CESG’s advice for those still using Windows XP after April is: "Don't go online using your old PC".
The Cabinet Office told The Reg: “It is for each organisation to work out the best way to apply this in their individual situations. They need to be confident that they've addressed the relevant risks to their information using appropriate technical, procedural and personnel controls."
But, IT suppliers, NHS bodies and even trusts with whom The Register has spoken made it clear the health service has no hope of being ready in time for the April cut-off.
We spoke to an IT operations manager at one major NHS trust who struggled to recall being contacted by central government on the end of Windows XP.
Administrative body NHS England told The Reg in January it simply has no idea how many systems in the NHS in England will miss the April deadline.
That’s because GPs, trusts and other health bodies are treated as independent organisations, responsible for their own IT systems and strategy.
Camwood and a second application-estate specialist working on Windows XP migrations, 1E, told El Reg they were still fielding initial calls from NHS bodies as late as January asking them to start migration projects.
They have no chance of hitting the April deadline.
Such is the opportunity in the NHS that Foxall said the sector will be the object of increased focus by his company.
1E chief executive Sumir Karayi told The Register his company is “maxed out” on Windows XP migration work.
Factors holding back the NHS include the fact that many critical apps had not been updated to work with Windows XP’s successor, Windows 7, until last year. Such apps included the Patient Administration System and Choose and Book, a browser-based app that could only work with the Windows XP browser.
Another factor is the existence of custom apps in HR and patient record systems built for Windows XP that must also be updated for Windows 7. It is likely that many of these have not been updated.
Also adding delay is the fact that NHS IT teams are not just looking after operating systems but large numbers of apps: one NHS trust with 6,000 PCs told us it has whittled 1,300 apps down to 100 as part of its Windows XP migration work to Windows 7.
The trust claimed to have been working on migration for up to nine months already but said it the work would still “realistically” run into 2015. ®
* El Reg notes that Microsoft usually refers to support beyond the 8 April cut-off as "custom support".
Sponsored: Today’s most dangerous security threats