Almost five per cent of devices in NHS Trusts are running on Windows XP - a higher percentage than Windows 8 and Windows 10 combined - according to exclusive CRN research into IT spending in the NHS, despite support for the OS having ended in 2014.
In December, CRN sent Freedom of Information (FoI) requests to all 161 NHS Trusts, and 102 of them replied. Of those Trusts, 51 per cent run Windows XP in some form, ranging from just a few PCs to almost three quarters of their estate.
In total, 18,604 PCs (laptop-type machines, desktops and tablets) run Windows XP among those Trusts which got back to us with these details, comprising 4.7 per cent of the total. By comparison, Windows 10 was running on just 1.8 per cent of PCs, and Windows 8 was on 2.4 per cent - 4.2 per cent combined.
This means that there are currently more PCs running Windows XP (4.7 per cent) on NHS Trusts than Windows 8 and Windows 10 combined (4.2 per cent). Windows 7 is the most popular OS among NHS Trusts by far, running on 82.9 per cent of all devices.
Windows XP was launched in 2001, and support for the popular OS ended in 2014. Microsoft and the government struck a deal for extended support for the OS, as many public bodies had failed to upgrade in time. But this extended support was for a limited period.
Most of the NHS Trusts still running Windows XP in some form had onlya few machines on it, mostly less than five per cent of their estate. But some still run a more significant amount of machines on the OS: 10 Trusts had between six per cent and 50 per cent of their estate on XP. Further, two trusts had 50 per cent and 53 per cent of their estates on XP respectively, and one had 76 per cent of its IT estate on the operating system.
"These are criminal gangs whose sole purpose is to make money. In that respect, the NHS is an easy target. I don't think we've even heard the tip of the iceberg about how many of these customers have these attacks."
Security experts told CRN that running Windows XP in any form, be it one machine or thousands, is a risky business.
Chris Mayers, chief security architect at Citrix, said he was not surprised by CRN's findings because they chime with what his company's research found in a survey last year.
"There is a significant amount of XP still installed there," he said. "We regard this as being a significant cybersecurity issue. One of the top four mitigations against cybersecurity issues is the ability to patch an operating system. These top four mitigations prevent 85 per cent of attacks. But if you can't patch the system because it's out of support, that's one of your main props being pushed away.
"We know some organisations have paid for extended support, but this is an expensive business. Frankly, the longer the time goes on, the more expensive extended support costs. Therefore, if you've got XP as part of your estate, it may be more cost effective to replace those machines anyway.
"The other big trend in the last couple of years is ransomware and these target precisely the sorts of problems you can't patch. That's a significant risk. We have seen NHS Trusts themselves be affected by ransomware."
Thomas Fischer, global security advocate at Digital Guardian, said NHS hospitals are "easy targets" for cybercriminals looking to extract money, because sometimes the choice is between life and death for NHS Trusts. He said running Windows XP gives them "more of a footprint of vulnerability" to cyberattacks.
"They can't upgrade the software and they can't upgrade the operating system so they become more susceptible to an attack," he said. "In a critical situation - like in a hospital and you have patients' lives on the line - it is easy money. [Criminals] know [hospitals] are not going to wait to do a backup and will pull the plug and pay the ransom. If they're in that situation and running those old machines, they are giving those parties more of an opportunity to do it."
Tony Tomkys, vice president for UKI for NHS specialist IT suppler BridgeHead Software, agreed and said cybercriminals are becoming even more ruthless.
"In the old days, it was people who were trying to make a point," he said. "It wasn't about the money, it was about proving that you could. That's completely changed and these are criminal gangs whose sole purpose to make money. In that respect, the NHS is an easy target. I don't think we've even heard the tip of the iceberg about how many of these customers have these attacks. I don't think the public has any idea how often this happens. It's very scary and the problem is there is no simple way to get out of it because they are coming from so far behind. It's going to be very difficult indeed, without massive investment from central government."
Analysis continues on second page
CRN's Nima Green caught up with Chris Labrey for a quick Q&A at CRN's recent European Channel Leadership Forum
We caught up with the Atea chief exec at CRN's European Channel Leadership Forum in London
Andy Gillett has been appointed GM for the UK and Ireland
UK is one of two countries to see rollout of vendor's newest subscription service