Windows 7: Hospitals and healthcare aren't ready to say goodbye

Upgrade paths are harder for machines that aren't PCs.
Written by Liam Tung, Contributing Writer

The world can safely look at 2017's WannaCry outbreak through the rear-view mirror. But the impending cut-off date for Windows 7 patches could set the stage for a repeat in a healthcare sector that depends on machines that can't be upgraded. 

Cisco-owned authentication firm Duo reports positive news on the enterprise shift to Windows. In 2017, two years after Microsoft released Windows 10, Windows 7 still dominated among Duo's user base, overshadowing Windows 10 with a 65 percent share versus the service-based Windows share of 27 percent. 

This week, Duo revealed the tides have turned: Windows 10 now accounted for 66 percent of PCs its software interacts with, compared to 29 percent for Windows 7. 

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)    

Microsoft will not release patches for Windows 7 after January 14, 2020. Enterprise customers can choose costly custom support contacts and may even continue running machines that are no longer officially supported without this additional support. 

Duo's stats on enterprise Windows 10 adoption on the surface looks like good news. But things get murky when looking at Windows 10 adoption in specific industries -- ones that have born the brunt of the most spectacular cyberattacks in recent history.  

The UK's National Healthcare Service (NHS) became the case studyfor Windows upgrades after the mid-2017 WannaCry outbreak, which crippled a large chunk of the organization's IT systems and delayed thousands of patient appointments. 

Around a third of NHS hospital trusts and 8% of GP practice IT systems were impacted by the file-encrypting WannaCry malware, largely due to organizations running a significant number of older Windows machines that were exposed to an attack that didn't affect Windows 10 at all. 

The situation was so severe that Microsoft issued patches for Windows XP, which it stopped shipping security updates for in 2014. Almost two years to the date of WannaCry, Microsoft again offered patches for XP because of an eerily similar and equally 'wormable' bug called BlueKeep. NHS has also since spent tens of millions on shoring up its systems against the next WannaCry.  

Duo's report covers 24 million devices and half a billion monthly sign-ins in Europe and North America. The company found that the healthcare sector is the "most Windows-dominated industry" of all with just over half of all "endpoints" running legacy Windows, amounting to 500,000 devices. 

While it's easy to criticize organizations for failing to upgrade Windows when Microsoft flags its patch cut-off dates years in advance, software supply chains in some industries just aren't cutout for these timeframes, leaving end-user organizations in a sticky situation. 

These organizations, like the NHS, might be able to move many PCs to the latest version of Windows, but they also maintain legions of diverse machines that simply can't keep up with the bog-standard PC upgrade cycle.    

"There are some verticals that have been moving more promptly to Windows 10 than others," Wendy Nather, head of advisory chief information security officers (CISOs) at Duo, told ZDNet. 

The long lag time for Windows upgrades that the healthcare sector in the US, UK and likely all other nations face could spell trouble for healthcare organizations that can't, for legitimate technical and business reasons, keep pace with a broader shift to Windows 10.

And the reason many healthcare organizations do not upgrade is because of business-specific applications, which also happen to support life-saving functions that in many cases don't have redundancy processes built around downtime for OS upgrades. 

"For the ones who are not moving off Windows 7, such as healthcare, there could be a number of reasons why they don't," said Nather.

"Some reasons include being dependent on third-party applications that don't support Windows 10. The process for migrating operating systems is very disruptive."  

Whether the shift to Windows 10 from Windows 7 plays out as a repeat of what happened with Windows XP remains to be seen. Internet Explorer is less of an issue today than it was when XP was retired, but Windows 7 is the closest version of Windows to XP in terms of reliability and usage. 

"Windows XP was built into so many kiosks and medical equipment devices and so on. It still can't get off Windows XP," said Nather.

"You think about a CT scanner running Windows XP. It [Windows XP] was a very sturdy and resilient operating system and a CT scanner is not built to adopt a new operating system. You expect to hold on to the CT scanner for many years and it costs millions of dollars to buy. That's why Microsoft offered a patch for Windows XP after WannaCry. And there's Windows XP in ATMs. It would cost so much money [to migrate] that it's not necessarily an option for smaller banks."

Editorial standards