Windows XP support will be withdrawn nationally from 2018, a government report has said.
The target of moving away from unsupported platforms was announced on 12 July in the government’s long-awaited response to Dame Fiona Caldicott’s report into data protection.
It said the Department of Health is “working in partnership with Microsoft” to mitigate risks associated with unsupported software. There are still 4.7% of trusts which use Windows XP, down from 18% in the past 18 months.
“Central support for NHS Digital’s national applications operating on outdated platforms will be phased out, with Windows XP support being withdrawn from 2018”, the report states.
“Local organisations should be aiming to have isolated, moved away from or be actively managing any unsupported systems by April 2018.”
In the WannaCry attacks in May that wreaked havoc in some parts of the NHS, the hackers exploited a Microsoft vulnerability. A security update had been released in March, but many computers globally remained unpatched.
Microsoft defended its role in the cyber-attack in May, and pointed the finger at the US’s National Security Agency for stockpiling exploits, rather than openly sharing them to be fixed.
Microsoft stopped providing support for Windows XP in April 2014 but according to Digital Health Intelligence 2015 data on NHS infrastructure, as many as 20% of NHS organisations could still be making use of it, and around 90% are thought to run something on it somewhere in their organisation, often in clinical systems or imaging equipment.
The Department’s response says that NHS Digital will be publishing technical advice and guidance this month to identify the unsupported systems, and that an initial £21 million will be used to increase cyber resilience of major trauma sites.
The report said that the government accepts the recommendations from Dame Fiona’s report, published last July, alongside the Care Quality Commission’s (CQC) report published at the same time.
The CQC report said that “computer hardware and software that can no longer be supported should be replaced as a matter of urgency”.
At the time, life sciences minister George Freeman, said: “We are working with suppliers, including Microsoft, to help health and care organisations update their systems and make sure they are safe to use and store data.”
The government’s report today echoes that promise by saying, the Department of Health “will work with partners to negotiate a centrally managed agreement with software providers to provide a common core build of an up-to-date operating system for health and care”.
It says part of the £50 million promised in the spending review will be used to address unsupported systems.
David Behan, chief executive at the CQC, said on today’s response: “Last year we made a number of recommendations as a result of our thematic review ‘Safe Data, Safe Care’.
“We are working alongside NHS Digital to help providers improve their cyber security defences, and from September our inspections of NHS trusts will look more closely at whether the new standards on patient information are being effectively delivered.”
The report acknowledges the difficultly of moving off systems, but says it is absolutely necessary.
“We are aware that it is not always possible or desirable to update systems, particularly in the case of clinical hardware. Nevertheless, unsupported software and ageing technology represent a significant cyber risk, as they are not subject to the latest security patches and updates released by manufacturers.”
Rob Shaw, interim chief executive of NHS Digital, said the agency was committed to the report.
“NHS Digital is committed to the principles set out in the NDG Review.”
“We will work with public, patients, health professionals and partners to build understanding and trust that the data we hold is kept secure and shared safely. We look forward to delivering on the actions the Government Response describes.”
The 84-page document also admitted the scale of the challenge: “We do not underestimate the importance and challenge of bringing every organisation across health and care to an appropriate standard of data security.”