Legacy technology and the problems they could cause the NHS is the subject of Davey Winder’s latest column for Digital Health. Our cyber security columnist delves into the question of whether the NHS legacy technology security threat ever die.

According to a recent article, one GP has revealed it takes a total of 17 minutes from logging into the computer at her practice to being able to use it.

Actually, the article suggested it took that long to switch on but unless she was doing so in a dark room after being spun around a dozen times, that’s pretty unlikely. Almost as unlikely as the fact this machine, like a million or so others probably still in use within the NHS, was running Windows 7 as the operating system is to blame for the slowdown. Or the regular crashes that were also mentioned by Professor Helen Stokes-Lampard, the GP in question, according to the newspaper.

The reason for the long delay is far more likely due to poor internet bandwidth (the amount of data that can pass through an internet connection) split between a number of computers at the practice leading to low internet speeds (the amount of data that actually gets through to any one PC at any given time.) This is important, as the computer has to connect to the remote NHS gateway and get authenticated and, well, you know the drill.

However, during the Skype conversation between Professor Stokes-Lampard and Matt Hancock that was at the heart of the article, Hancock happened to say: “I don’t think that you can patch Windows 7 anymore”.

This is where the real questions should start to kick in, beyond the logging on time headlines.

Questions such as will the NHS legacy technology security threat ever die?

Sure, Matt Hancock has already announced that NHS organisations must phase out the use of fax machines by March 2020 and start using more secure communications systems instead.

But let’s stick to the operating system issue for now.

Looking for the weakest link

Support for Windows XP was withdrawn in April 2014 but there are still more than 2,000 computers running the outdated OS in use within the NHS according to a written parliamentary response earlier in the year.

Yep, that’s only approximately 0.16% of NHS IT infrastructure, but it’s also 0.16% too much.

Hackers are always looking for the weakest link in order to gain entry to a network, and XP is about as weak as they come, truth be told.

Mind you, Windows 7 will reach its End of Life (EOL) use by date in January 2020.

There are, according to another report from earlier this year, around one million NHS computers still running on Windows 7.

“The news that NHS end-points are still running on slow and outdated Windows 7 operating systems (OS) is not all that surprising considering the tight budgets and cutbacks that are currently hanging over it,” says Andrew Brickell, area director at Ivanti.

“However, using legacy technology within such a critical industry is a recipe for disaster.”

Dependency on legacy technology

Brickell also warns that a “dependency on legacy technology is a dangerous game to play as it leads to the risk of cyberattacks”.

“For optimal efficiency and cybersecurity the NHS should not only ensure that devices are patched quickly, thoroughly and effectively, but also implement an endpoint and workspace management tool that will allow easier migration to Windows 10 and more efficient working,” he concludes.

Of course, the NHS is migrating to Windows 10 slowly but surely.

Back in April 2018, when the centralised Windows 10 agreement between the Department of Health and Social Care and Microsoft was confirmed by NHS Digital, it was noted that all NHS organisations joining the Windows Defender Advanced Threat Protection (WDATP) service on offer would need to commit to migrate from Windows 7 and 8 technology estates to Windows 10, no later than 14th January 2020.

This is despite the fact that WDATP does actually work with Windows 7 SP1 and Windows 8.1, although not in as comprehensive a manner as with Windows 10 machines.

The problem here being that there remains legacy kit within the NHS that cannot be upgraded to Windows 10.

Running on outdated operating systems

Yes, this is only one part of a much wider cyber-resilience framework for the NHS, but I’m still concerned that legacy technology running on outdated operating systems are going to remain a problem for some while to come.

There simply isn’t enough money available to be chucked at the issue to enable it to be sorted in any kind of acceptable, to me at least, time scale.

The NHS has a complex IT estate infrastructure, and when you couple a lack of funding (the £150 million over three years promised back in 2018 won’t be enough in my never humble opinion) with a seriously non-simplistic and highly dynamic security threatscape, things don’t look like they are going to get ‘better enough’ any time soon.