back to article 90 per cent of the UK's NHS is STILL relying on Windows XP

The NHS is still running Windows XP en masse, two and a half years after Microsoft stopped delivering bug fixes and security updates. Nearly all of England NHS trusts – 90 per cent – continue to rely on PCs installed with Microsoft’s 15-year-old desktop operating system. Just over half are still unsure as to when they will …

Silver badge

Moving to Vista wouldn't help (that also goes end-of-life in April) unless drivers/apps work in later versions of Windows.

There will be a lot of embedded systems with XP front-ends that just can't be upgraded - either they'll have to be completely replaced, or put through expensive recertification processes (to ensure that they're safe and producing reliable, reproduceable results) if they're upgraded - assuming the supplier is still in business.

Desktop stuff, I have less sympathy for...

7
0
Anonymous Coward

There will be a lot of embedded systems with XP front-ends that just can't be upgraded

XP ?? How modern.

I know a precision engineering firm whose NC machine tool is controlled by a Windows 95 system. Because I got spares into stock (via eBay :-) ) for it about 8 years ago, and did some repairs 2 or 3 years ago. Mind you, if the multi-port serial interface dies, they will be SOL....

10
0
Silver badge

When I was working in IT in the NHS there were many machines running expensive things like MRI scanners or X-Ray machines that only ran on XP, but the companies concerned had gone out of business.

Hell, we had a case where a company making AED's had gone down and another manufacturer was doing firmware updates for them, but couldn't write a replacement program to transfer the firmware because they couldn't work around the security measures on the AED preventing unauthorised tampering with the firmware. Solution? Keep an XP laptop in the cupboard with the original transfer software for the occasional updates.

I'd imagine that most trusts with ~200 separate sites have at least one machine in this category that nobody wants to replace because it's absurd replacing a newish MRI machine just because the OS is XP. Who cares? It's only wired to the MRI and a printer.

So if you say "90%" the NHS is STILL relying on XP then it's technically correct if you go by NHS trusts, rather than NHS sites, or NHS users. You could also say "NHS doesn't want to waste money replacing near new, perfectly working MRI machine." but that'd get you a less sensational headline.

To put it into perspective, the business I work for is in the same situation. We have a voicemail system which runs on an application on Win2k. I'm the only person who knows or cares because it's only accessed by the users through their phones (by a bank of modems wired from the telephone system to the server in question) 100% of the staff use it daily, and we don't have any replacement plans for it other than "wouldn't it be nice..." as the business doesn't want to spend money replacing a perfectly adequate system just for the sake of it.

18
0
Silver badge

"Moving to Vista wouldn't help (that also goes end-of-life in April) unless drivers/apps work in later versions of Windows."

I said Vista because that was the epoch point for Windows newer driver and program models. IOW, if a program or driver can work on Vista, odds are pretty good it'll work on 7, which IS still supported, and passing fair it can work on 8 and up because beyond Vista they didn't monkey too much with basic hardware driver models, and 8.1 and 10 reinforced desktop program support.

2
0
Gold badge
Mushroom

"There will be a lot of embedded systems with XP front-ends that just can't be upgraded "

The joker in this pack is the patient information systems.

What do they run on?

And if it's XP only (in Administrator logon only of course) WTF are they still being used?

2
0
Silver badge

Re: I know a precision engineering firm

Luxury! I know a fast breeder nuclear reactor what runs on a Science o' Cambridge Mk 14. If the dam' thing guz more'n 20 degrees out o' proppa temp'rature specs, some bugger 'as t' pour boron soaked concrete inter the reaction vessel core t' prevent consequences o' carry register error.

An' if yer tell the lazy young sods terday about that they'll never believe ya!

4
0
Mushroom

Re: I know a precision engineering firm

I THOUGHT they used PDP 11s....to run nuclear reactors...

1
0
Facepalm

Re: I know a precision engineering firm

Didn't Uncle Clive claim a ZX81 was all that was required?

0
0
Mushroom

Re: I know a precision engineering firm

"Didn't Uncle Clive claim a ZX81 was all that was required?"

No. It was a ZX80, actually. Aparently you don't need floating point Math to run a reactor like... umm Chernobyl.

0
0
Anonymous Coward

Re: I know a precision engineering firm

"I THOUGHT they used PDP 11s....to run nuclear reactors..."

Some of them, certainly.

That's what a friend of mine who was writing reactor control code worked on.

0
0
Anonymous Coward

Re: I know a precision engineering firm

"I THOUGHT they used PDP 11s....to run nuclear reactors..."

Some of them, certainly.

That's what a friend of mine who was writing reactor control code worked on.

No one wants to tear apart a 40 year old running reactor to implement something different.

0
0
Silver badge
Facepalm

90% XP is the good bit

The other 10% uses fax for communication,.

4
1
Silver badge

Why not Windows PE?

Seriously it has all the features you need while consuming a low amount of system resources. There is no privacy concerns and it's even free.

I mean with Vista everybody knew that operating systems from Microsoft would go downhill. Even Windows XP had some serious disadvantages over Windows 2000.

One can also give this a totally different spin. Microsoft is charging money and system resources again for something they already delivered without providing any new functionality. They try to enforce them by refusing to fix any mistakes they made during the production.

3
5
Silver badge
WTF?

Re: Why not Windows PE?

"Seriously it has all the features you need while consuming a low amount of system resources. There is no privacy concerns and it's even free."

You have GOT to be kidding. It's not meant to be used that way, and it reboots after 72 hours of continuous use. Not the sort of thing you'd want to happen with a system monitoring a critically-ill patient.

2
0
Silver badge

Now I feel old

I was going to make a comment about how impressed I was that they've upgraded that much of their systems to XP, since when I worked in a hospital not much less than 15 years ago there were still plenty of 386s running Win 3.1 around. But looking at the dates, that's actually basically the same - 15 years and 3 Windows versions out of date. So rather than joking about how I thought it would be worse, apparently it's exactly as bad as I expected.

That said, I wouldn't be at all surprised if part of the records system in that hospital still runs on a BBC-B. Although at least that has the advantage of not being at much risk of hacking.

3
0
Silver badge

Re: Now I feel old

i think you might be right about the bbc-b. i think its the one in my garage.

mines the one with the 32kb ram soldered on

1
0
Silver badge
Linux

'up'grading is overrated

seriously, the whole 'up'grade thing [which is a DOWNgrade if it's to "Ape" or Win-10-nic] is highly OVERRATED. It would (likely) require new versions of things that people are familiar with OTHER than just Windows, and that includes HARDWARE too, most likely.

It's a fair bet that a FAIR analysis of the situation might prove that a commercial flavor of Linux, if you MUST "up"grade the OS, would be a lower cost, longer term, TOTAL solution.

Like THESE guys did at Ernie Ball over a decade ago:

Rockin' On Without Microsoft (web archive)

9
13
Anonymous Coward

Re: 'up'grading is overrated

Not sure what you are smoking, but it must be good shit.

Small company - Ernie Ball, what maybe a few hundred people vs NHS 1.2 Million.

Yeah like for like.

Also your Linux system appears faulty, it seems TO BE "doing" random (things) WITH your characters when you TYPE]

12
2
Mushroom

Re: 'up'grading is overrated

"a commercial flavor of Linux, if you MUST "up"grade the OS, would be a lower cost,"

It's a good idea, I did 18 months at Jaguar LandRover and whilst they were still using Windows, they had moved to Google Mail and Docs rather than MS Office and had retrained the users where necessary and it was saving them significant money. But TATA were in the process of investing £1bn. .

The majority of users in the NHS are not tech-savvy, they will have never used anything other than Windows & Office either at work or at home. Try justifying to an NHS board spending money in the current financial climate to retrain thousands of users along with their MS certified IT teams to support a rollout of Linux, managing the disruption etc. etc. Plus a lot of proprietary systems such as Pathology and Radiology and GP reporting have clients that only run on Windows.

The majority of the NHS will forever be Windows of one flavor or another, whether that is fat or thin client.

1
2
Silver badge

Re: 'up'grading is overrated

It's a fair bet that a FAIR analysis of the situation might prove that a commercial flavor of Linux, if you MUST "up"grade the OS, would be a lower cost, longer term, TOTAL solution.

Rolling out a Linux variant wouldn't solve the problem of having running an obsolete unsupported OS in the long run if the NHS Trusts didn't upgrade the OS. They'd be having the same problem if they had a fleet of RHEL < 5 machines.

Getting rid of legacy IT can be difficult if some essential software or hardware is not ported to a newer platform; we do still have some productive SGI workstations at my work....

1
0
Silver badge

Re: 'up'grading is overrated

"Getting rid of legacy IT can be difficult if some essential software or hardware is not ported to a newer platform; we do still have some productive SGI workstations at my work...."

And that's the point I was making. There are any number of devices that use XP or lower that either (a) cannot be upgraded at all, probably because the manufacturer went out of business taking their trade secrets to the grave, or (b) are such that the only way to fix the software issue is to replace the VERY expensive hardware. If upgrading is either impossible or too expensive, you end up with what I called a "stuck" machine. Think of it like someone holding an underwater mortgage (they owe more to the bank than their home is actually worth, so selling the home to close the mortgage is not an option).

3
0

Re: 'up'grading is overrated

@JamesPond - given the level of 'IT expertise' available to the average NHS staff member the particular OS they are using could hardly be less relevant.

In my experience the vast majority of people only care about the actual software package they use; in the sense of 'care' meaning: are the buttons in the same place today, that they were yesterday, and do they do the things I expect them to do?

Interaction with the system outside of that very limited scope is practically non-existent for most users, i.e. they have no idea at all how a computer works, and they don't care. All they want to do is get their job done.

This is why so may folks find change in IT even more terrifying than other kinds of change---a computer might as well be a magic box as far as they are concerned.

So, changing the OS? No big deal at all, the pain of change will be the same as if you changed the only software package they use day in day out.

We've just had a whole lot of IT application and OS changes in our Trust. The screams could probably be heard from the Moon. That was six months ago. Today? It's the new normal, not even a whimper (well maybe, but only a whimper).

6
0
Silver badge

Re: 'up'grading is overrated

"Interaction with the system outside of that very limited scope is practically non-existent for most users, i.e. they have no idea at all how a computer works, and they don't care. All they want to do is get their job done."

Only 4 upvotes at time of this reply? I with I could upvote you more than once. This is absolutely the crux of the matter. Users DO NOT CARE about the OS at all. They use programmes to do their jobs. The vast majority of NHS staff would not even know the OS had been changed if the same apps were on the screen. The OS is usually locked down via policies anyway for their user access level so in most cases there's not even much, if anything, in control panel to play with, let alone anything else.

Switching office packages would be a real ball-ache, especially for admin staff, but the front line staff just need the tools that work so they can do their job and some obvious way to launch the relevant app(s).

1
0
Silver badge

Security concerns?

Chewing gum in the USB ports, WAN interface disconnected at the router, executables completely locked-down, any updates (unlikely) and data retrieval via one secure station and lo! A malware-free and secure XP network. As long as it has been running reliably it should continue to do so (give or take incompatible hardware *replacement* - not upgrade)

It works for the UK education system ...

6
1

Re: Security concerns?

"It works for the UK education system ..."

Thanks - I hadn't had a laugh today, but the idea that anything in the UK education system works to any acceptable level gave me a good one.

5
3
Anonymous Coward

Re: Security concerns?

A department REQUIRES USB drive support because they routinely transfer files too big for the network (like high-resolution lossless imagery).

WAN is bridged by a mole device that learns how to masquerade as one of the internal devices. Not unheard of thanks to MAC spoofing.

Secure station keeps breaking down with deadlines to meet and lives (literally) at stake. People forced to find ways around it.

The problem is that reliability can't always be assured, especially as the hardware gets older.

2
0
FAIL

Re: Security concerns?

"A department REQUIRES USB drive support because they routinely transfer files too big for the network (like high-resolution lossless imagery)."

Sorry, that is simply not true. I work on PACS systems with studies that are normally GB's and sometimes TB's in size. These are routinely transferred across hospital LANs and are also transferred across N3 with no problem. A GB study can be retrieved from a remote datacentre and the first images displayed in <2 seconds (SLA) with the remainder of the images viewable within 20 seconds.

Copying patient information onto non-encrypted USB drives is banned across the NHS and is seriously slower than LAN/WAN transfer.

1
0
Silver badge

Re: Security concerns?

"Sorry, that is simply not true. I work on PACS systems with studies that are normally GB's and sometimes TB's in size. These are routinely transferred across hospital LANs and are also transferred across N3 with no problem. A GB study can be retrieved from a remote datacentre and the first images displayed in <2 seconds (SLA) with the remainder of the images viewable within 20 seconds."

Assuming a top-of-the-line network. Bet you that's not the case in general.

"Copying patient information onto non-encrypted USB drives is banned across the NHS and is seriously slower than LAN/WAN transfer."

What about encrypted drives, then? Plus how do you enforce such a thing when time is precious?

0
0

Re: Security concerns?

Assuming a top-of-the-line network. Bet you that's not the case in general.

Every NHS hospital in England and Wales uses PACS of one flavour or another so they must all have reasonably decent network speeds, otherwise Radiologist's would be up in arms that they couldn't view studies and the CCG's would be complaining about reporting backlogs affecting patient safety.

Therefore I fail to see the problem in network transfer. Certainly at the Trust's I've worked at, when there have been transfer speed problems, stopping traffic to bbc.co.uk / facebook etc. has had an appreciable positive impact.

0
1
Anonymous Coward

Re: Security concerns?

The UK Education is often trying to deliver services to students / pupills on budgets that compare poorly to those available for employees.

From what I have seen moving pupils too use mainly google-docs eases that burden a lot.

0
0
Silver badge

people don't want to pay tax

+

politicians want to be reelected

=

Infrastructure investments are postponed because not spectacular enough for voters

=> After a time when the current infrastructure is maintained with more and more difficulties it collapses. Then the infrastructure is rebuilt at a cost much higher than at first place because of emergency.

After that, the whole process begins again.

8
0
Silver badge

That's always been the one failing of a government by any kind of popular agreement or consensus. Some of the humdrum necessities of civilization also happen to be very irksome: like taxes. Not to mention subject to considerable squabbling. It's only something existential in nature like a crisis that puts people together. End the crisis, and it's back to the squabbling. Humans appear to be more a tribal kind of animal under normal circumstances. Bigger than that, and we start seeing competition.

An autocrat would have the capability to, as they say, cut the crap, but of course that has the risk of being subject to that person's whims. It's really a difficult thing to work out either way.

3
0
Silver badge

The problem with this is that there isn't a lack of taxes being paid, or money spent.

The problem is merely that the people in charge wish to spend the money on vote buying or big impressive projects to get promotions. They start said big project, realise they have ignored every bit of best practice and basic procedure out there and then get promoted out of that position before the entire mess falls apart under the weight of it's own mismanagement.

The solution is to promote people on merit, ie. actually delivering completed and usable projects rather than for brownnosing skills. We might then see a reduction in multi billion pound projects failing.

0
0
Silver badge

"The solution is to promote people on merit, ie. actually delivering completed and usable projects rather than for brownnosing skills. We might then see a reduction in multi billion pound projects failing."

You forget. People LIE. And people BELIEVE lies. Given that, people CHEAT. And it's part of the human condition. You can't FORCE people to promote on merit, not even with the law. Disagreeable laws are just ignored as ink on a page. Look at Prohibition.

As long as people respond instinctively to the "What's in it for me" angle, you can't have the utopia.

0
0
Anonymous Coward

The solution is to promote people on merit, ie. actually delivering completed and usable projects

If only, I've worked with several senor managers at NHS Trusts who were 'promoted' because they were incompetent and the only way their previous manager could get rid of them was to support their promotion to somewhere else.

Other than cost saving redundancies, once you have a permanent role in the NHS, you pretty much have to kill a patient to get fired. I don't think I've ever seen anyone fired in the NHS for incompetence.

2
0
Silver badge

"you pretty much have to kill a patient to get fired."

I've heard claims that even that won't get you a reprimand, let alone fired if you are in the "right" job and well entrenched in the "old boys network".

0
0
Anonymous Coward

Killing somebody (more likely to be described as something like "missing opportunities that may have contributed towards the survival of a critically ill patient") is unlikely to be seriously investigated unless a lot of people are screaming loudly enough about it. Even if their manager comes out and says that they are dangerously incompetent then what would actually happen is that they would get put on an improvement plan instead of being fired.

This means that the staff member gets somebody else from the department trailing them around until they either don't make any mistakes for long enough or make massive and (provably) lethal mistakes in front of several people.

1
0

Wow! The trust I work for is in the top 10%. We don't have any XP machines any more. Cool.

1
0
Anonymous Coward

I work in the NHS

We planned ahead and were off XP before normal support expired, we still have 6 XP machines but all are on a LAN which isn't physically or virtually connected to anything else, in utter segregation from the outside world whilst we wait on the supplier finally updating their clinical system to support Windows 7, which we intend to move from in the next couple of years.

Problem is 1. nationally we keep getting systems procured with no legacy planning, no thought of forcing suppliers to keep with the current OS and dependency support requirements.

2. Cost of MS licenses is going through the roof, we'd love to move to Linux but the staff training cost (you can deny it'd be required - but trust me it would be) and problem with national systems not being compatible is a huge problem.

3. Everything is going cloud and there are still a lot of us who would rather steer clear but what can we do when all of our suppliers are only offering cloud based solutions, otherwise we stick with legacy clinical systems with no money to entice a development for a local solution which is up to date?

Honesty I'm all for choice between trusts etc but this is getting utterly out of hand and nationally they've no a scooby how to fix it other than extend support arrangements and kick the problem down the road another year.

6
1
MJI
Silver badge

It did not help that.

MS broke a lot of compatalitiy with Vista onwards.

Our old system runs on DOS based systems, 2000 and XP, our current system XP and on.

XP can run more software than almost any other OS.

This is why it refuses to go away

5
0
Silver badge

My local trust upgraded a while ago

Same week as a friend of mine was admitted for emergency surgery. I went to visit him, and found he was still in theatre, so I got chatting to the staff about the upgrade. "You see we have a lot of paper notes all over the desk, and the phone doesn't stop ringing" was the reply. It took them a month or so to shake everything down.

0
0
Silver badge

So what?

Software does not wear out. It will continue to do the same tasks today as it was doing 15 years ago. Many bugs have been found in that time, but if those bugs did not affect the operations 15 years ago, they won't affect the same operations today. There has of course been more malware developed, but that will only affect systems that are vulnerable to malware attacks - dedicated systems that cannot be seen on the Internet and don't get new applications installed won't get infected with malware. Besides which, malware that is being deployed today is far more likely to be targeting more modern OS's anyway.

So yes, it is bad if the PC's in question are directly on the Internet and/or having new stuff installed, but for PC's on a secure closed network or no network that are used only with original dedicated applications, it really doesn't matter how old the OS is. Some of my CNC machines are running the same OS (usually a Unix variant) that they were supplied with 25 years ago, and I have a Windows 3.11 PC I use very occasionally to make changes to old FPGA designs because the CAD software will not run on anything later, and the more modern FPGA CAD applications can't read the original design files (and probably don't support long obsolete Xilinx chips anyway).

What would you like to do? Spunk £billions of taxpayer's money on 1) upgrading hardware, 2) buying new OS licences, 3) contracting a software company to re-write all your bespoke applications for the new OS 4) Re-training staff for the inevitable differences in the way it works and 5) compensating for the inevitable delays, bugs and screw-ups?

Sometimes the saying, "If it works, don't fix it" is very relevant.

7
3

Re: So what?

If it works don't fix it in itself is a heathy approach, but it should not absolve management and owners from planning for change. If they do not the bill is simply served later on. The fnancial and human cost of locking operations down to only repairing and "keeping running" are high.

It is evident that malware-makers (particularly crypto-lockers) are already targeting hospitals.

When crooks blackmail your hospital into paying to unlock XP boxes are you going to ague that "if it ain't broke don' fix it". Malware riddled environments open up hospitals to seeing their higlly confidential data being siphoned off.

2
0
Silver badge

Re: Software does not wear out

Does if you connect it to the internet. Two or three updates and it's threadbare and full of holes.

1
1
Silver badge

Re: So what?

Plus you can never completely isolate a system. After all, there MUST be a way to transfer information in or out or it's useless as a device. As long as method exists, a method can exist to infect it. Not even Sneakernets are immune.

1
0
Silver badge

Re: So what?

"

After all, there MUST be a way to transfer information in or out or it's useless as a device. As long as method exists, a method can exist to infect it. Not even Sneakernets are immune.

"

The I/O can consist entirely of keyboard, VDU and local storage, it does not have to include a plausible attack vector.

1
0
RW

Re: Software does not wear out

I switched to Linux, Ubuntu 8, in 2008. It was interesting to watch Firefox fail to work with a greater and greater number of websites, particularly those who had converted to HTML5 for video support. Of course, I finally had to get a new computer (with Mint LInux 17) so I could still go a-youtubing, but now I keep seeing websites using only Flash for video.

The more things change...

0
0

How modern!

0
0
Silver badge

Bah!

A triumph for the Windows 98 migration team, then.

1
0
Gold badge

Amortisation, anyone?

Anytime you buy some equipment, you should ask yourself when it will become worthless (at least for accounting purposes). To a first approximation, that happens with the expiry of either the hardware, the software or the vendor. It sounds like the hardware is still going strong in these cases (or is readily replaceable in the case of desktop PC systems) and so your main worries are software and vendor.

Someone selling you kit and agreeing to share the design and all source code, with an agreement that says you can use that information either if the vendor disappears or if you think the vendor's support offering is too pricey, will immediately have an expected lifetime of N-times longer than the schmuck who sells a closed system. That makes it N-times cheaper than the (closed) competition.

If your bean counters are doing their job properly, that should mean that an organisation the size of the NHS basically need never get into this sort of situation again. Indeed, any use of a closed system should immediately raise suspicions of corruption and back-haners, since it is so vanishingly unlikely that the deal is being costed fairly.

Afterthought: A private sector organisation has to consider a fourth possibility, the expiry of itself. That might present a compelling argument for something that is cheaper this year and we'll worry about the costs next year. Countries tend not to go bankrupt, even when they run out of money, so they probably *shouldn't* be worrying about that fourth possibility.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018