Months ago there was a massive ransomware attack, known popularly as WannaCry, which held the National Health Service (NHS) hostage for some time. This was primarily the result of the NHS using unsupported operating systems as part of their daily operations, in this case Windows XP. Prior to the attack, Microsoft had released a patch for Windows XP with the explicit intent to prevent WannaCry from seizing any more systems. However, the patch couldn’t be applied in time to the endpoints on the NHS network. This prompted debates and a rush to place blame on a party among the political class in the UK. However the fighting didn’t last too long and action was quickly taken to enhance health data security through policy.

When the WannaCry malware attack happened, Rob Shaw, had coordinated an immediate response that he defended. In the wake of the attack, NHS Digital had issued a bulletin detailing steps for remediation for affected NHS organizations. Additionally, a 24/7 helpline and command control center was setup to mitigate the spread and impact of the malware. The final bill for recovery for the NHS was around 1 million pounds.

Now in August, the NHS Digital division has made a deal with Microsoft for custom support across all NHS organizations. Covered in the agreement are patches for their existing Windows products including Server 2003, SQL 2005, and Windows XP. The agreement will only last until April 2018. Microsoft is also working with the NHS to provide a frame for detection and response to malicious cyber activity. This deal was hinted at on July 12 in the official government response to the attack. In the report it was explicitly stated that unsupported systems and applications would be phased out by 2018. This seems to include Windows XP. It also states that any local organizations need to start operating on supported systems.

The customized support to the NHS will likely be a special circumstance from Microsoft as the company seems to want nothing to do with Windows XP any further.

Background Context

In 2014, Microsoft had done away with support for Windows XP, which in an ideal world should’ve prompted upgrades to Windows 7 at minimum. However, many business decided to continue running Windows XP despite the security risks. Statcounter had estimated that around 5% of operating systems globally are Windows XP, which translates to around hundreds of millions of outdated machines.

Among those machines running Windows XP are computers used by the NHS, a critical public organization. However, in the UK and Europe in general this may no longer be acceptable under the coming EU General Data Protection Regulation (GDPR). Under this regulation organizations that fail to protect EU citizen data properly will face severe fines. In the case of the NHS, the organization will likely be covered as the patches and custom support from Microsoft will likely be enough to keep the organization safe. The relationship between the NHS and Microsoft is a temporary one, and the organization will need to take measures as well to ensure EU citizen data is safe as well.