The Shadow Cabinet Office Minister, Jo Platt, has said that it is “deeply concerning” that over 1 million NHS computers - or approximately 76% of the total NHS PC estate - still need to be updated from Windows 7 less than six months before Microsoft cuts off support.
The news of the NHS’s progress on Windows 7 upgrades is particularly concerning, given that the main reason the health service was so vulnerable to the recent WannaCry attack was that hospitals, GPs and other health organisations had not upgraded or patched their Windows PCs.
The WannaCry ransomware attack was a global event and affected many organisations - but the health service found itself having to declare a major incident and implement emergency arrangements to maintain health and patient care, after 81 out of 236 Trusts were impacted. A further 603 primary care and other NHS organisations were also affected.
The National Audit Office’s investigation into the attack found that the Department of Health had been slow to respond to recommendations and that there appeared to be a significant lack of control around ensuring that the NHS responds to requirements.
For example, the Department and the Cabinet Office wrote to Trusts in 2014 saying it was essential that they had “robust plans” to migrate away from old software, such as Windows XP, by April 2015. And in March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry.
However, before May 2017, the Department of Health had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance.
Work to do
In response to a Written Parliamentary Question last week, Jackie Doyle-Price, Parliamentary Under Secretary of State at the Department of Health, confirmed
Jo Platt MP, Shadow Cabinet Office Minister, responding to a Written Parliamentary Answer from the Department of Health and Social Care said:
As of 30 June 2019, approximately 1.05 million NHS computers are using Windows 7 from a total of around 1.37 million. This equates to approximately 76% of the NHS estate currently on Windows 7.
All NHS organisations, with the exception of one which had already upgraded to Windows 10, have signed up to receive Windows 10 licences and Advanced Threat Protection.
Deployment of Windows 10 is going well and in line with target to make sure the NHS is operating on supported software when Windows 7 goes out of support in 2020.
Microsoft is ending support for the decade-old operating system on 14 January 2020. The vendor has signed a deal with the Department of Health that should enable all NHS organisations to use Windows 10 and “strengthen their defence against future cyber attacks.''
However, Shadow Cabinet Office Minister, Jo Platt, criticised the government’s efforts. She said:
With less than six months before Windows 7 support expires, it is deeply concerning that over a million NHS computers, over three quarters of the total NHS IT estate, are still using this operating system meanwhile thousands of computers still using Windows XP.
The WannaCry cyber attack two years ago starkly proved the dangers of operating outdated software. Unless the Government swiftly acts and learns from their past mistakes they are risking a repeat of WannaCry.
Protecting public data and computer systems should be a highest priority of Government but the Conservatives lacklustre is proving that they cannot be trusted to keep us safe.
This new Government must urgently adopt the co-ordinated approach that Labour advocates to secure our public sector.
Last week Cabinet Office Minister Oliver Dowden also refused to confirm whether the Government had asked Microsoft for an extension of support.