IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

NHS systems still reliant on Windows XP

Government minister downplays significance of venerable OS' continued use

Over 2,000 NHS systems are still running on Windows XP five years after it stopped receiving security updates.

It's the latest hammer blow to the NHS' reputation for being well behind the curve in terms of keeping its IT systems up-to-date and secure.

The figures were slammed by shadow Cabinet Office minister Jo Platt after they were revealed by Jackie Doyle-Price, parliamentary under secretary of state at the Department of Health.

"The government is seriously lacking the leadership, strategy and co-ordination we need across the public sector to keep us and our data safe and secure," said Platt. "How many more warnings will it take before they listen and take action?

"The next Labour government will provide not only the resourcing but also the vital leadership, organisation and dedication needed to get our public sector fit and resilient to fight the cyber-threats of the 21st century," she added.

It's not the first set of figures that illustrate an apparent disregard for cyber security in some parts of the National Health Service. In December 2018, a response to an FOI request revealed some NHS Trusts spend as little as 250 on cyber security.

Results of a different FOI request a year later revealed one NHS Trust in Cumbria was the victim of an "extraordinary" number of cyber attacks and had spent 29,600 in 2017 alone to remedy the effects.

Doyle-Price was quick to dispel Platt's criticism, claiming that although the number of legacy systems was in the thousands, it only accounted for a small percentage of the total 1.4 million computers run by the NHS.

"This equates to 0.16% of the NHS estate," said Doyle-price. "We are supporting NHS organisations to upgrade their existing Microsoft Windows operating systems, allowing them to reduce potential vulnerabilities and increase cyber resilience."

In the wake of the WannaCry ransomware attack on the NHS in 2017, the National Audit Office revealed the NHS had been warned by the Department of Health as early as 2014 about the threat of cyber attacks and that it should migrate from Windows XP by April 2015.

Five years later, the upgrade process still hasn't been completed and after an attack that cost the NHS a reported 92 million, it has led experts calling for better action to be taken.

"Considering the damage done by the WannaCry attack in 2017, it's appalling that the NHS hasn't finished upgrading its systems," said Paul Bischoff, privacy advocate at "Even if 2,300 computers is a small fraction of the total, hackers only need a single point of ingress to infect an entire network."

There are other reasons for running old software too."Often we see that companies are running old software that is no longer compatible with the newer operating systems, and therefore have to use older systems for this reason - but this does not make lower the risk of using those systems," said Boris Cipot, senior security engineer at Synopsys.

"For instance, it may have very expensive medical equipment that can only be controlled by software that runs on XP," said security analyst Graham Cluley. "So it's not just a  case of updating a PC, but perhaps spending millions on a new MRI scanner."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Salaries for the least popular programming languages surge as much as 44%

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022