Britain’s National Health Service Still Using XP

Britain’s National Health Service

Following the global cyber/ransomware attack this week, it transpires that the UK’s National Health Service (NHS) is still using Windows XP on a reported 90% of its systems, even though XP has not officially been supported by Microsoft since April 2014. Apparently the NHS entered into an agreement with Microsoft for a security support extension until April 2015, but this was evidently not renewed. The ransomware, known as Wanna Decryptor or WannaCry has caused chaos across the NHS and was identified earlier this year. It could possibly have been stopped from infecting NHS computers in March this year when a patch was issued by Microsoft, but unfortunately the fix could not be installed on ageing operating systems and those machines will have been left vulnerable to this attack.

Wanna Cry

Infected computers show a message demanding a $300 ransom which, if not paid to a Bitcoin wallet will be doubled in three days.

You only have three days to submit the payment. After that the price will be doubled. Also if you don’t pay in seven days, you won’t be able to recover your files forever

According to some reports from as far back as January 2014, the NHS, HMRC (Inland Revenue) and other government departments were asked under the Freedom of Information Act, to explain their plans for migrating to newer operating systems, but since Microsoft’s support fees per PC were so high (not surprisingly), many departments apparently decided to remain ‘naked’ after the cut-off date and stay with XP. In my opinion, this is a staggeringly irresponsible neglect of duty, especially with such life-critical data at stake. Here are some figures that highlight the black hole left by the XP fiasco:

As of January 2014 there were just over 1 million desktops and laptops in the England NHS running Windows XP using Internet Explorer 6, 7 or 8 and apparently no central database exists to track migration as each unit or trust operates as a distinct unit. 90% of England’s NHS trusts still rely on Windows XP with only 29% saying they would upgrade ‘sometime in 2017’.

Experts say the virus, called Wanna Decryptor, exploits a vulnerability in Microsoft Windows software that was first identified by American spies at the NSA.

I’m not entirely surprised by these revelations and, in fact, only the other day I had to complete some tedious paperwork at a local authority here in Buenos Aires only to find that, not only was the operative using a non-optical PS2 ball mouse, but her operating system was Windows XP. I know this because she couldn’t navigate around her screen properly, prompting me to grab her mouse, extract the ball, clean it and hand it back to her. I was a little taken aback since the town hall had just undertaken a massive refurbishment costing millions, with apparently crucial operating systems not being of the highest priority, so the British NHS is not alone in this respect.

I also spotted Windows XP on a screen in a 2015 BBC report on the construction of HMS Queen Elizabeth, the new aircraft carrier for the Royal Navy. It’s entirely possible of course that the Bliss wallpaper belongs to a sub-contractor, but you have to wonder what it’s doing in a state of the art warship for the Royal Navy in the first place.

Perhaps it’s time the UK government stepped in with emergency funding so that each and every NHS trust is able to upgrade their ageing operating systems so that an an attack on this scale can be prevented from happening again. But maybe that’s just wishful thinking on my part and in my naiveté, I may have forgotten that steps such as that are usually entirely political and fall way back in the queue behind expensive equipment to generate money from speeding motorists and think-tanks to discuss the relative benefits of one-way systems, mini roundabouts and the decor to be chosen for the mayor’s new office.

With a general election coming up in the UK next month, a cynic might suggest that this would be an ideal time to place this matter into a political party manifesto and exploit this opportunity for political gain, but what do I know?

Breaking News – Microsoft Takes Unusual Step And Issues Fix For Windows XP

Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. ~ Phillip Misner, Principal Security Group Manager  Microsoft Security Response Center

Microsoft has just issued a communiqué stating that it has issued a fix for versions of Windows that are in custom support only, which covers Windows XP, Windows 8, and Windows Server 2003. Read the full statement here.

More Breaking News

The BBC reports that a young security blogger tells of how he ‘accidentally’ halted the ransomware whilst analysing the code behind the malicious software. Read the full report here.

9 thoughts on “Britain’s National Health Service Still Using XP”

  1. All I can say, and I include myself since I still run XP on one of my machines, is to keep one’s files on a device that is not always attached to the machine. About the only thing on my XP are some old dos games that I run and enjoy playing. For a business or any organization, such as hospitals etc. not to upgrade their PC’s is not rational, and I know of some, let’s say some highly vulnerable XP machines that are still in use in my area.
    XP & Vista are now unsupported, and users are fast approaching the W7 support date. I can only see attacks like this becoming more frequent and more sophisticated.
    Oh, in order for me to put KB4012598 patch on XP I had to download it as a standalone using W8.1 and then install it in XP, this was because I was unable to connect with windows update, but that really did not surprise me. Thanks for the info Marc.

  2. Just checked and version 3 of Malwarebytes which offers these 4 layers of protection
    Malicious website protection
    does so for Windows XP SP2/SP3 (32bit only). Makes one wonder if the Hospitals could of been protected, for a much smaller cost while running on a very old o/s, Mindblower!

    1. Be that as it may Mindblower, the NHS should HAVE been protected by more robust and modern operating systems.
      Tell anyone today that you’re still using XP and they’ll laugh in your face. I will admit though, that I have a few machines in my shop that run both XP and Win 98, but those are all under controlled conditions. Nothing critical.

  3. Unbelievable. Personally, I’m not saying that those who were hit with the global cyber/ransomware attack recently didn’t deserve it, but when you read up on who were victims you begin to see why they were hit. At my computer classes, I push the class to fully understand what they need to do to protect themselves against attacks, viruses, scams, spam, etc.
    If users want to keep their older XP & VISTA Programs that don’t work on newer windows maybe a dual load of Linux might be a better solution so that they can use Linux to go on the internet and still run their old Vista/XP programs with network access turned off. But to blatantly ignore the warnings of Microsoft support? What else would you expect?
    Thanks for this article Marc, I’ve posted it to my class FB page for the students to read.

  4. I would take this as a prime mover to explore the advantages of a Linux system and get away from microsoft……………..

  5. No XP PCs are known to have been involved in the outbreak, it was almost entirely W7/Server 2008 machines.

    1. Yes, I read that Satrow and it’s also entirely possible that some of the clinical programs they use are only compatible with XP. I suppose the pint of my article is to point out that XP is still more widely used than many of us imagined.

      1. It probably is not only the programs but also the network that is setup for
        these businesses.

Comments are closed.

Scroll to Top


Get great content like this delivered to your inbox!

It's free, convenient, and delivered right to your inbox! We do not spam and we will not share your address. Period!