NHS slow to react as Windows XP support nears the end
Trusts need to make a move by April 2015
Many UK NHS Trusts are at risk of missing the extended cut-off deadline for Windows XP support in April 2015, according to the results of several Freedom of Information requests by software firm Citrix.
Although the government acquired a support extension, the FOI request found that the trusts have been slow to make the transition, or are simply unsure when their transition would be complete.
Windows XP is still in use across all 35 UK trusts, and 74 per cent were planning to migrate their last device in March 2015.
David Harley, a former NHS IT manager who now works as a senior researcher with net security firm ESET, told El Reg it's the intention of bodies to migrate (where practical) that's important, and the technologies they intend to use to achieve these goals are secondary concerns.
"I'm not shocked that 74 per cent intend to have finished migration just before Microsoft withdraws extended support, though I hope those organisations haven't underestimated the amount of time they need," Harley said.
He added that not too much should be read into figures from Citrix's FOI that 14 per cent of trusts were "unsure when they would transition their last computer". Whether or not this is an issue would depend on risk assessment and some lab systems might even need to stay on XP in order to run particular applications not available on more modern systems.
"The fact that 14 per cent are uncertain about their end date is natural," Harley explained. "Even if that means that some of them will be migrating after the cut-off date (I have no idea whether that is the case) we don't know if the machines concerned are either at significant risk or pose significant risk."
As exclusively reported by El Reg back in January thousands of PCs at Britain’s biggest public sector bodies would miss Microsoft’s April deadline to abandon Windows XP. HMRC and the NHS in England and Scotland will still be running thousands of systems using Windows XP after Microsoft severs the general support lifeline on 8 April.
NHS Scotland has 3,603 PCs with 3,537 on Windows XP and the same number on IE6, according to a series of FOI requests lodged by us with UK government organisations. Plans to replace Windows XP and IE 7, migrating to Windows 7 and IE 8 and, in a few cases, Windows 8 and 10, were already in place north of the border.
The picture was more confusing in England and Wales. FOI requests revealed that there are total of 1.1m PCs and laptops running Windows at trusts, GPs and other health groups that comprise the NHS in England. However, the NHS in England said it didn't have any information about the state of Windows XP’s penetration or migration work. No central records are kept, as migration is the responsibility of individual hospitals, community trusts, ambulance services, and GP surgeries.
Inevitable time lags
Harley explained the general operational environment for IT systems in the NHS, where tight budgets are the norm. The practical upshot of this is that many Windows XP systems might still be in use even past the extended support cut-off next April.
"As far as the NHS is concerned, it's inevitable in a make-do-and-mend/this-is-the-NHS-we-can't-afford-to-upgrade-systems culture that there will be time lags, even when the cut-off has been so prolonged, as was the case with XP," Harley explained.
"What's the real impact of the decline of support? On systems that are used to run a high percentage of the applications, utilities and systems targeted by vulnerabilities that rate a CVE identifier, it may be very serious if there are no security countermeasures (and that's not a plug for AV) in place to counter specific vulnerabilities. Where the uses to which a system is put are severely limited, it may not be so serious," said Harley.
It should be made clear that Harley left the NHS several years ago, so he doesn't have information from the front line about use of Windows XP in the health service. He can however talk about the prevailing general culture where staff are often expected to use systems until they become unworkable or broken, and where efficiency and security become secondary concerns.
"It's the nature of bureaucracies and businesses alike that low-status staff tend to be expected to run low-spec hardware/software that doesn't necessarily correlate to the importance and complexity of the tasks they're responsible for — until the system falls apart. Whereas, high-ranking individuals get high-spec systems and frequent upgrades," Harley said.
He added that this approach is becoming increasingly dangerous from a security perspective, as attackers are increasingly focused on breaking into the networks of targets after first compromising the systems of low-status workers or third-party contractors. ®