Windows 7 support timebomb: 76% of NHS PCs not on Windows 10 despite looming deadline

Just over one million computers in the NHS are still using Windows 7.

Microsoft just dumped password expirations and other companies should too ZDNet's Steve Ranger tells Karen Roby that Microsoft now says that Windows 10 passwords don't need to expire and believes that other companies should be taking note. Read more: https://zd.net/2WIeECs

With less than half a year to go before support ends for Windows 7, about three-quarters of computers in the UK's National Health Service (NHS) are still running the OS.

Just over one million computers in the NHS are still using Windows 7, according to a written answer from the Department of Health and Social Care.

Having so many machines still running Windows 7 is a problem, according to Jo Platt MP, shadow cabinet office minister, as the end of extended support in January 2020 will mean no more fixes and patches without a costly custom-support deal.

"With less than six months before Windows 7 support expires, it is deeply concerning that over a million NHS computers, over three quarters of the total NHS IT estate, are still using this operating system," she says.

Platt drew attention to the WannaCry attacks on unpatched computers in 2017, which disrupted NHS systems and led to almost 20,000 appointments being cancelled, with the total cost to the NHS estimated to be around £92m.

"The WannaCry cyber attack two years ago starkly proved the dangers of operating outdated software. Unless the government swiftly acts and learns from their past mistakes they are risking a repeat of WannaCry," she says.

Answering Platt's parliamentary question, Jackie Doyle-Price, then parliamentary under secretary of state for mental health, inequalities and suicide prevention, said that while 1.05 million NHS computers were still running Windows 7, the migration process to Windows 10 was underway.

"All NHS organisations, with the exception of one which had already upgraded to Windows 10, have signed up to receive Windows 10 licences and Advanced Threat Protection," she wrote.

"Deployment of Windows 10 is going well and in line with target to make sure the NHS is operating on supported software when Windows 7 goes out of support in 2020."

However, while Doyle-Price suggests the NHS will stop using Windows 7 before the 2020 deadline, the government chose not to answer a separate question from Platt about whether it was in talks with Microsoft about a custom support deal for Windows 7 post-2020.

The government also faced further criticism for a minority of NHS machines still running Windows XP, Microsoft's 2001 operating system that went out of support five years ago.

Despite the risk of running these Windows XP machines, Doyle-Price said it was not "not possible to set a timeframe for complete removal of Windows XP from all NHS machines". 

"This is because removal is not always possible, particularly where Windows XP is embedded in medical devices," she wrote.

"All NHS organisations have been given guidance on how to mitigate the risks if they cannot completely remove Windows XP from their estate, for example, they can segregate the affected machines from the network. They can also contact NHS Digital for further bespoke advice and support to mitigate risks."

She says additional management, monitoring, and risk mitigation was provided via the NHS's Data Security and Protection Toolkit (DSPT).

Last year the Cabinet Office confirmed that government does not centrally track the number of Windows XP computers operating across the public sector.

While Microsoft ended extended support for Windows XP in 2014, the UK government paid £5.5m for a year's extension to April 2015.

The problem of public bodies using operating systems long after support ends is not limited to the UK, in 2015 the US Navy agreed to pay Microsoft millions to keep supporting Windows XP post-2014.