Govt. will withdraw Microsoft XP support from 2018
- 13 July 2017
Windows XP support will be withdrawn nationally from 2018, a government report has said.
The target of moving away from unsupported platforms was announced on 12 July in the governmentâs long-awaited response to Dame Fiona Caldicottâs report into data protection.
It said the Department of Health is “working in partnership with Microsoft” to mitigate risks associated with unsupported software. There are still 4.7% of trusts which use Windows XP, down from 18% in the past 18 months.
âCentral support for NHS Digitalâs national applications operating on outdated platforms will be phased out, with Windows XP support being withdrawn from 2018â, the report states.
âLocal organisations should be aiming to have isolated, moved away from or be actively managing any unsupported systems by April 2018.â
In the WannaCry attacks in May that wreaked havoc in some parts of the NHS, the hackers exploited a Microsoft vulnerability. A security update had been released in March, but many computers globally remained unpatched.
Microsoft defended its role in the cyber-attack in May, and pointed the finger at the USâs National Security Agency for stockpiling exploits, rather than openly sharing them to be fixed.
Microsoft stopped providing support for Windows XP in April 2014 but according to Digital Health Intelligence 2015 data on NHS infrastructure, as many as 20% of NHS organisations could still be making use of it, and around 90% are thought to run something on it somewhere in their organisation, often in clinical systems or imaging equipment.
The Departmentâs response says that NHS Digital will be publishing technical advice and guidance this month to identify the unsupported systems, and that an initial ÂŁ21 million will be used to increase cyber resilience of major trauma sites.
The report said that the government accepts the recommendations from Dame Fionaâs report, published last July, alongside the Care Quality Commissionâs (CQC) report published at the same time.
The CQC report said that âcomputer hardware and software that can no longer be supported should be replaced as a matter of urgencyâ.
At the time, life sciences minister George Freeman, said: Â âWe are working with suppliers, including Microsoft, to help health and care organisations update their systems and make sure they are safe to use and store data.â
The governmentâs report today echoes that promise by saying, the Department of Health âwill work with partners to negotiate a centrally managed agreement with software providers to provide a common core build of an up-to-date operating system for health and careâ.
It says part of the ÂŁ50 million promised in the spending review will be used to address unsupported systems.
David Behan, chief executive at the CQC, said on todayâs response: âLast year we made a number of recommendations as a result of our thematic review âSafe Data, Safe Careâ.
âWe are working alongside NHS Digital to help providers improve their cyber security defences, and from September our inspections of NHS trusts will look more closely at whether the new standards on patient information are being effectively delivered.â
The report acknowledges the difficultly of moving off systems, but says it is absolutely necessary.
âWe are aware that it is not always possible or desirable to update systems, particularly in the case of clinical hardware. Nevertheless, unsupported software and ageing technology represent a significant cyber risk, as they are not subject to the latest security patches and updates released by manufacturers.â
Rob Shaw, interim chief executive of NHS Digital, said the agency was committed to the report.
“NHS Digital is committed to the principles set out in the NDG Review.â
âWe will work with public, patients, health professionals and partners to build understanding and trust that the data we hold is kept secure and shared safely. We look forward to delivering on the actions the Government Response describes.”
The 84-page document also admitted the scale of the challenge: âWe do not underestimate the importance and challenge of bringing every organisation across health and care to an appropriate standard of data security.â