Over a million computers used by the UK's National Health Service still use the Windows 7 operating system, a worrying statistic when Microsoft is set to stop supporting the OS in six months.

In a written answer to UK member of parliament Jo Platt, the then parliamentary under secretary of state for mental health, inequalities and suicide prevention Jackie Doyle-Price said that "As of 30 June 2019, approximately 1.05 million NHS computers are using Windows 7 from a total of around 1.37 million. This equates to approximately 76% of the NHS estate currently on Windows 7."

"All NHS organisations, with the exception of one which had already upgraded to Windows 10, have signed up to receive Windows 10 licences and Advanced Threat Protection. Deployment of Windows 10 is going well and in line with target to make sure the NHS is operating on supported software when Windows 7 goes out of support in 2020."

Earlier this month, Doyle-Price also said that over two thousand NHS computers are using the Windows XP operating system despite support ending in 2014. However, it is apparently impossible to know when Windows XP will be removed from all NHS machines because "removal is not always possible, particularly where Windows XP is embedded in medical devices." NHS organisations are given guidance on how to minimise the security risks inherent in using an out-of-date operating system, such as keeping those machines separated from the rest of the network.

Nevertheless the fact that so many computers in one of the largest organizations in the United Kingdom use older operating systems is troubling, especially in the wake of the WannaCry attack in 2017 - a strain of ransomware which locked computers down until $300 was paid to the hackers.

That attack affected 300,000 devices globally and disrupted numerous NHS services leading to cancelled appointments and numerous medical facilities shut down in order to stop the spread of the ransomware. The malicious software only targeted older machines, as WannaCry does not work on Windows 10 computers, but even a year after the ransomware was stopped a huge number of machines still had not been patched.

Although a cyberattack on UK services is a matter of when, not if, the government is still woefully underprepared for it to occur. The NHS, as a part of the UK's critical national infrastructure, is more likely to be targeted alongside the national grid and financial institutions.

Further Reading

Security Reviews