back to article 90 per cent of the UK's NHS is STILL relying on Windows XP

The NHS is still running Windows XP en masse, two and a half years after Microsoft stopped delivering bug fixes and security updates. Nearly all of England NHS trusts – 90 per cent – continue to rely on PCs installed with Microsoft’s 15-year-old desktop operating system. Just over half are still unsure as to when they will …

  1. Pen-y-gors Silver badge

    Extended support?

    Individual government departments and agencies were free to sign their own extended support agreements with Microsoft

    Did Citrix think to ask the trusts whether they had their own extended supporrt agreement? Or is this just a marketing ploy to flog Citrix' thin client services (or whatever they're called this week)

    Still pretty worrying. Another triumph for government IT.

    1. Doctor Syntax Silver badge

      Re: Extended support?

      "Did Citrix think to ask the trusts whether they had their own extended support agreement?"

      Or whether they have exposure to the internet?

      There could be quite a number hooked up to expensive kit with XP-only applications for which there's no alternative. There's no chance of upgrading in such a situation and the best solution is to protect them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Extended support?

        I worked at an NHS Trust that paid Microsoft in the region of £300k for the extended support for 6 months as they still had >3000 XP machines.

        About 5 months into the 6 month extension, they got hit by malware that was supposed to be trapped by one of the updates included in the extended support. The malware hit hundreds of XP machines and caused significant expenditure of resources to fix, restoring from backup etc.. When they investigated, Microsoft had sent them a username/password to logon to the extended support server for WSUS auto-updates. Guess what, the IT department hadn't bothered to read the email and so no updates for ~5 months and no-one had thought to check XP machines were receiving the updates.

        And people wonder why the NHS is in so much debt.

        1. Halfmad

          Re: Extended support?

          "Guess what, the IT department hadn't bothered to read the email and so no updates for ~5 months and no-one had thought to check XP machines were receiving the updates."

          Was anyone sacked for this? I bet not and that's one of the biggest problems in the public sector, even when colossal mistakes are made, nobody, absolutely nobody takes the blame.

          1. lorisarvendu

            Re: Extended support?

            "Was anyone sacked for this? I bet not and that's one of the biggest problems in the public sector, even when colossal mistakes are made, nobody, absolutely nobody takes the blame."

            The problem here is that you can't just sack members of your IT department because of a mistake like this, especially if each one of them has knowledge vital to the running of the IT Estate (as you will now find in most pared-down IT Departments).

            Plus if the whole dept was to blame, but you can't pin it down to one individual, do you go down the route of bumping it up the hierarchy until you find a sacrificial head? So the IT Director of the Trust takes the fall. What good does that do in ensuring the department pulls it's socks up and we don't get a repeat?

            Just saying "someone should be sacked" is a blinkered view, motivated by a short-sighted idea that terminating someone's employment is anything more than simple revenge.

            1. Vic

              Re: Extended support?

              So the IT Director of the Trust takes the fall. What good does that do in ensuring the department pulls it's socks up and we don't get a repeat?

              Maybe - just maybe - the next IT Director might actually take some interest in directing the department?

              Directors claim large salaries because they "take the risks", they "have responsibility". This is what responsibility means - if you took the cash when things were going easy, you take the fall when they're going hard.

              Vic.

        2. Mark Dempster

          Re: Extended support?

          >And people wonder why the NHS is in so much debt.

          It's in debt because people expect it to provide more treatment than it can do on the budget it's given by this Tory government. You know, the one that says it's given an extra £10bn, although noone can find more than £4bn in the accounts. And that is funded by a further £22bn of 'efficiency' - cuts, in other words. So the £10bn extra is actually £17.5bn less. And those cuts more than account for any so-called 'debt'.

          So it has very little to do with continuing to use XP. Which they can't afford to replace anyway.

    2. Anonymous Coward
      Anonymous Coward

      Re: just a marketing ploy

      Many of the IT-based FOI requests I see are blatantly marketing ploys. This is an obvious "we sell virtual desktop infrastructure, a handy way to migrate from XP"

      What this doesn't say is the percentage of XP machines in the desktop IT estate of these organisations. Is it a handful of PCs that are needed to run AncientImportantSoftv1.1f in one department that can't be migrated to Windows 7 or 10 or is it 70% of the PC estate? The answer will be different for each Trust but even I'd be surprised if any of them were 100% XP and not planning to migrate and I'm a cynical Bastard who's been around NHS IT for longer than I ever planned.

      1. Anonymous Coward
        Anonymous Coward

        Re: just a marketing ploy

        As someone who handles FOIs for my NHS Trust/Board/CCG (you decide) I can honestly say most journalists ask the wrong questions and don't challenge (as for a review) often enough when they don't get the information they were clearly after.

        1. 2+2=5 Silver badge
          IT Angle

          Re: just a marketing ploy

          > I can honestly say most journalists ask the wrong questions

          Any examples of a 'right' question that El Reg ought to be asking, by any chance?

          1. Sam Haine

            Start asking the right questions (was: just a marketing ploy)

            How much an NHS Trust spends on permanent IT staff salaries (broken down by job title) and how much it spends on contractors would be a good start.

            1. lorisarvendu

              Re: Start asking the right questions (was: just a marketing ploy)

              "What percentage of Trusts are still using XP machines?" is not the same question as "How many XP machines do each Trust still have?".

              The answer to the first question could well be "90%", but the answer to the second one could be "one or two per Trust." Big difference.

              The devil's in the details.

      2. Daniel von Asmuth Bronze badge
        Windows

        Never change a winning team

        If they have overcome all the problems and drawbacks of XP for over a decade, why change now? After all those negative reports we heard about Vista, 8 and 10? Why did they choose (Win)DOS in the first place?

      3. boltar Silver badge

        Re: just a marketing ploy

        "This is an obvious "we sell virtual desktop infrastructure, a handy way to migrate from XP"

        Probably, but it doesn't mean they're wrong. There's little need to have numerous copies of a full blown desktop OS dotted around various wards and departments when all the data is centralised anyway. Far better to have a thin client with a few centralised servers that can be properly protected. The staff working in the hospital can't be blamed for not sorting out the IT, they're too busy doing other stuff, like oh I dunno, saving peoples lives maybe. The desktop machines should just be plug and play with little to no scope for any possible malware injection.

    3. leexgx

      Re: Extended support?

      just change the system into POS mode on XP and you still get security updates (not that they update the hospital systems any way as probably to scared it brake the windows 95 old software that is running on XP)

    4. Nick Ryan Silver badge

      Re: Extended support?

      The last I saw when I was looking at many of these XP systems that litter the NHS was that they typically were left running XP because vital but stunningly incompetently written software was in place that required ActiveX components and appalling versions of Internet Explorer.

      This was one of the key reasons for them to still be in place. On some occasions the original vendor no longer existed, frequently a tiny organisation that disappeared due to the appalling way in which the NHS trusts often treated their small suppliers, or often where an updated version was available but the department couldnt sufficiently justify the upgrade costs of a system that other than running on a dead OS still did the job it was brought in place to do.

      Most departments have such a tiny budget left over after the huge staff costs (massive layers of management and consultants) are taken into account that they can barely afford to buy the consumables they need and more important medical equipment that replacing an otherwise working system just doesnt happen. it's further complicated because many pieces of software are cross department that it needs all departments to upgrade which adds to the impossibility.

      On the positive front it did appear that NHS trust IT depsrtments were getting smarter when iit came to new systems but this doesnt help the old software - it wasn't as if the IT departments didnt want to upgrade our see the value in it, they just can't...

  2. Anonymous South African Coward Silver badge

    Yay for govt IT...

    Maybe they should consider going over to Linux?

    Oh wait...

    1. Adair

      The Linux option...

      Probably a good idea, but one that would require actual planning and organisation.

      'NHS-Linux' - their own spin, continually developed, tested, distributed, and under their control. How it might have been done, and done well, but it wasn't.

    2. Anonymous Coward
      Anonymous Coward

      We've looked into it, without it being pushed from a central location (government) it's impossible due to national clinical systems being heavily reliant on MS Windows. Yes we could run those in VMs or RDP but our local systems have to link into them and that invariable means a local client. Whilst more systems move to web or portals it'll be easier but right now it's not technically feasible even if we ignore the retraining cost/time for frankly most staff, few will have ever touched Linux and regardless of how similar they appear there would be a lot of hand holding required.

      I remember when we moved from Office 2003 to 2007, that completely foxed many staff and it was a relatively small change.

      1. Neil Lewis

        The statement "most staff, few will have ever touched Linux" is quite simply untrue. Fact is, the vast majority will use Linux every day without realising it, by accessing web sites or by using an Android device.

        That staff can be foxed by transitioning from Office 2003 to 2007 is an indication of the poor training/lack of training frequently seen in office environments. There's a tendency towards a 'click here to do this' mentality inherent in vendor specific training which leads to users being unable to function if an icon or button is moved.

        The problem is neither the OS nor the applications, but an almost criminally unprofessional lack of understanding of the tools. It's as ridiculous as if a plumber claimed they could only work with one particular brand of spanners 'because brand Y looks different'.

        1. JamesPond

          "Fact is, the vast majority will use Linux every day without realising it, by accessing web sites or by using an Android device."

          So you are saying because a secretary or clinician who's used Internet Explorer or their Samsung phone to view a website can therefore boot a Linux PC, logon and run a wordprocessor or spreadsheet application without any training? That's like saying because I've driven a car on the road I can jump into a F1 car and drive it, after all they both have 4 wheels, a steering wheel and and engine, must be the same.

    3. Daniel von Asmuth Bronze badge
      Linux

      Maybe they should consider going over to Linux?

      Why didn't they use Linux in the first place? XP received updates for fourteen years or so. Which Linux distributions and kernel versions have been supported for even seven years?

      1. Adair

        Re: Maybe they should consider going over to Linux?

        @Daniel von Asmuth

        Linux is not Windows - I think you misunderstand how it works.

        For a start: Slackware, Debian, Red Hat all started in1993 (23 years). The thing is, if you are serious about running a serious long term computing platform across a massive and diverse institutional environment, you are serious about taking the source, and setting it up for your own use, and maintaining it.

        If the NHS had sat down, formed an OS development team, taken a base Linux distro, and gone on to build their own bespoke system on top of it they could by now be sitting on a highly developed, relatively very secure and stable OS that they would be in control of and that would offer a common platform for the whole NHS to work with.

        Unfortunately that kind of foresight and organisation was not deployed, so we are where we are.

        1. Anonymous Coward
          Anonymous Coward

          Re: Maybe they should consider going over to Linux?

          The reason that can't have happened is that there is no NHS due to the ridiculous internal market nonsense forced onto us by the shop keepers daughter. Just a load of separate organizations who are allowed to use the logo.

        2. Kubla Cant Silver badge

          Re: Maybe they should consider going over to Linux?

          If the NHS had sat down, formed an OS development team, taken a base Linux distro, and gone on to build their own bespoke system on top of it they could by now be sitting on a highly developed, relatively very secure and stable OS that they would be in control of and that would offer a common platform for the whole NHS to work with.

          Sounds good.

          But back in the real world, they'd outsource the development to Monster IT Inc, extend the scope to refactoring the world, and end up with a bill of £100bn for a "free" operating system. By the time it was delivered (if it ever was), everyone would have installed XP.

          1. Adair

            Re: Maybe they should consider going over to Linux?

            @Kubla Cant

            That's only one of many possibilities compatible with <REAL_WORLD>, and not so very different to the one that has actually occurred.

        3. AndrewDu

          Re: Maybe they should consider going over to Linux?

          " a highly developed, relatively very secure and stable OS"

          Hmm, well, maybe so.

          But it would frighten the pants off any new start staff who would then need a lot of training and hand-holding before they could do even the simplest thing. Whereas anybody off the street kinda knows how to work Windows - which is what they think "computers" are, anyway.

          Before you sneer, go check out a few of your own users, and imagine the panics.

      2. itzman

        Re: Maybe they should consider going over to Linux?

        Its pure inertia.

        Medical software is specoialised, and if it happens to be written for XP, thats what you use, and then if the next hardware vendor comes along and sees an installed base of XP. that's what he's going to write for, as well.

        I asked this question about a relatives dental practice. Basically 'you want a x-ray machine, it runs Vista/XP'. End of.

        Few people outside of major corporates have the financial power to get software written for them: The rest have to buy what's on offer, and not much is on offer for Linux.

        1. Adair

          Re: Maybe they should consider going over to Linux?

          @itzman

          Just a point of economic reality. if an institution as large as the NHS, with a commensurate budget, chose to use OS 'Z', there would be no shortage of vendors only too willing to write drivers, etc. for their equipment to run on OS 'Z'.

          It's all about the money, these people are not in the game for the good of their health, or anybody else's for that matter. And even the few that are focussed on putting human wellbeing ahead of profit, would still happily supply OS 'Z' compatible equipment for an institution the size of the NHS.

          1. timul20

            Re: Maybe they should consider going over to Linux?

            You say:

            "if an institution as large as the NHS, with a commensurate budget, chose to use OS 'Z', there would be no shortage of vendors only too willing to write drivers, etc. for their equipment to run on OS 'Z'."

            but actually the NHS is not an institution, it is an affiliated group of Trusts, GPs practices, Commissioning Units etc etc, all with their own, often quite paltry, budgets and income streams, often running on their own WANS and running their own organisation specific applications. It's just not as simple as it looks from the outside.

            As other commenters have implied, most NHS organisations that I know of have in fact upgraded most of their desktop estate to Win7 now. The problem is generally with "Analyzers", pieces of healthcare equipment; blood tracking devices, pharmacology equipment, CRT scanners for example, running ancient applications that would nevertheless be breathtakingly expensive to replace with something a bit more up to date.

            This story is, to some extent a case of mountains and molehills

            1. Adair

              Re: Maybe they should consider going over to Linux?

              @timul20 - But that is really my point: the NHS has always been shambling bureaucratic 'Frankenstein's monster'; a cobbled together collection of institutions and services all operating under the politically useful collective known as 'NHS'.

              The dependence on bought in services, without any overall long term planning or structure, is symptomatic of that approach.Down the line, we are all reaping the consequences.

              Hindsight is a wonderful thing, of course, but so also would be politicians who know when to engage, enable, and sustain people who genuinely have a clue. But in the 'real world' that hardly ever happens.

        2. John Sanders
          Windows

          Re: Maybe they should consider going over to Linux?

          """Few people outside of major corporates have the financial power to get software written for them: The rest have to buy what's on offer, and not much is on offer for Linux."""

          That may have been the case 20 years ago, not today, so no reason to keep falling into the same trap.

        3. Andy 97

          Re: Maybe they should consider going over to Linux?

          Customer is king.

          Someone wants to spend many millions on my software and requires it to run on (let's say) an obscure BSD variant, I'd make that happen.

          If I didn't, someone else would and that would be money on their balance sheet and not mine.

      3. Hans 1 Silver badge
        Linux

        Re: Maybe they should consider going over to Linux?

        >XP received updates for fourteen years or so.

        Maybe, well, actually, only because Vista was such a mess, but how about Vista, 7, 8 (LOL), 8.1 ?

        As for Linux, when you upgrade Linux, a totally new UI is not thrown at you and you can choose your ui freely, meaning hardly any training costs, if any, when you upgrade.

        Long time support in Linux is 5 years, but again, you do not get the same hassle you get with Windows upgrades, where half the printers in the office (for example) are no longer supported after the upgrade ....

        1. Mark Dempster

          Re: Maybe they should consider going over to Linux?

          >Long time support in Linux is 5 years, but again, you do not get the same hassle you get with Windows upgrades, where half the printers in the office (for example) are no longer supported after the upgrade ....<

          Probably becasue half the printers in the office never have a linux driver unless you're prepared to write your own,anyway

      4. lorisarvendu
        Trollface

        Re: Maybe they should consider going over to Linux?

        Hmmm...which distro would you go with?

        Would it be...Linux Mint by any chance?

  3. Voland's right hand Silver badge

    Yummy ransomware target

    That is one gigantic ransomware target set.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yummy ransomware target

      When you say "ransomware", are you referring to malicious software attacking a vulnerable OS, or are you referring to the price that MS is charging to maintain support?

      1. Herby Silver badge

        Re: Yummy ransomware target

        "When you say "ransomware", are you referring to malicious software attacking a vulnerable OS, or are you referring to the price that MS is charging to maintain support?"

        YES

    2. Toastan Buttar

      Re: Yummy ransomware target

      How very, very true! :)

  4. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Migration to Office 365 and Cloud Services etc

      Microsoft "One Drive", Google drive, iCloud, Yahoo, Box and all online storage is blocked from NHS PCs.

      If anyone thinks they are using them, things will change.

      Yes, you are correct. This is because of what we call "information Governance" but Confidentiality rules will do. All those services have a lot to do with the USA. Their ideas on confidentiality are different from ours. This prevents US big business using their spooks to get information about us and lots more.

      1. Halfmad

        Re: Migration to Office 365 and Cloud Services etc

        icloud - in use

        dropbox - in use

        one drive - in use

        It's not all blocked/banned. I'm guessing you see a snapshot of local use. I know of instances where these are being used and can be used with proper controls in place. Ideal? Absolutely not but if the information going onto them is of sufficiently meaningless level then the risk is massively reduced.

        Not saying I personally approve of their use but I do know it's happening.

    2. Sir Sham Cad

      Re: Migration to Office 365 and Cloud Services etc

      Quick answer is "yes, but". All cloud services for NHS and wider .gov.uk use are required to adhere to tighter information governance certifications and standards than would necessarily be the case for a private company or user. In many respects this is more secure than can be reasonably achieved by a local NHS Trust due to budgets, expertise etc...

      New rules regarding ISO certification for NHS email solutions, for example, mean getting internal solutions up to standard and certified or some other option of which Office365 is a possibility.

      Please note that UK Data Centres Only is a requirement. No data leaves the UK. Encryption in transit and at rest is minimum mandatory.

      1. Anonymous Coward
        Anonymous Coward

        Re: Migration to Office 365 and Cloud Services etc

        If only data was limited to the UK! Anything owned by NHS England is limited to England. Where I used to work I was looking at building a service where the NHS was a potential customer. Our data centers were in Wales, so we found that they were considered unsuitable.

        Must be the threats from all those sheep.

        1. Halfmad

          Re: Migration to Office 365 and Cloud Services etc

          Someone isn't interpreting the DPA correctly, NHS England can have datacenters anywhere in the UK, not just England and can also have them within the EU if the risk is accepted by the trust/CCG etc.

          Hell if the risk is accepted they can have them ANYWHERE in the world, it's just that when someone went wrong, and it would they'd be up to their necks in it.

          I'm guessing whoever thought it was unacceptable in Wales either was assuming Wales would go independent in the next few years or there was a technical consideration such as rural broadband around the data center etc.

  5. David Lawton

    Running Windows is very expensive.

    1. Anonymous Coward
      Anonymous Coward

      Running all IT systems of this scale is expensive.

      1. Anonymous Coward
        Anonymous Coward

        Don't worry, it'll be privatised soon so money will be no object.

  6. Anonymous Coward
    Anonymous Coward

    I wonder how many of the "stuck" machines rely on software and/or drivers that don't exist in Windows Vista or can't be migrated inexpensively (to the point that ransom costs are less than that of a new machine).

    1. Chris King Silver badge

      Moving to Vista wouldn't help (that also goes end-of-life in April) unless drivers/apps work in later versions of Windows.

      There will be a lot of embedded systems with XP front-ends that just can't be upgraded - either they'll have to be completely replaced, or put through expensive recertification processes (to ensure that they're safe and producing reliable, reproduceable results) if they're upgraded - assuming the supplier is still in business.

      Desktop stuff, I have less sympathy for...

      1. Anonymous Coward
        Anonymous Coward

        There will be a lot of embedded systems with XP front-ends that just can't be upgraded

        XP ?? How modern.

        I know a precision engineering firm whose NC machine tool is controlled by a Windows 95 system. Because I got spares into stock (via eBay :-) ) for it about 8 years ago, and did some repairs 2 or 3 years ago. Mind you, if the multi-port serial interface dies, they will be SOL....

        1. Stevie Silver badge

          Re: I know a precision engineering firm

          Luxury! I know a fast breeder nuclear reactor what runs on a Science o' Cambridge Mk 14. If the dam' thing guz more'n 20 degrees out o' proppa temp'rature specs, some bugger 'as t' pour boron soaked concrete inter the reaction vessel core t' prevent consequences o' carry register error.

          An' if yer tell the lazy young sods terday about that they'll never believe ya!

          1. itzman
            Mushroom

            Re: I know a precision engineering firm

            I THOUGHT they used PDP 11s....to run nuclear reactors...

            1. Paul Mitchell
              Facepalm

              Re: I know a precision engineering firm

              Didn't Uncle Clive claim a ZX81 was all that was required?

              1. BillDarblay
                Mushroom

                Re: I know a precision engineering firm

                "Didn't Uncle Clive claim a ZX81 was all that was required?"

                No. It was a ZX80, actually. Aparently you don't need floating point Math to run a reactor like... umm Chernobyl.

            2. Anonymous Coward
              Anonymous Coward

              Re: I know a precision engineering firm

              "I THOUGHT they used PDP 11s....to run nuclear reactors..."

              Some of them, certainly.

              That's what a friend of mine who was writing reactor control code worked on.

            3. Anonymous Coward
              Anonymous Coward

              Re: I know a precision engineering firm

              "I THOUGHT they used PDP 11s....to run nuclear reactors..."

              Some of them, certainly.

              That's what a friend of mine who was writing reactor control code worked on.

              No one wants to tear apart a 40 year old running reactor to implement something different.

      2. Peter2 Silver badge

        When I was working in IT in the NHS there were many machines running expensive things like MRI scanners or X-Ray machines that only ran on XP, but the companies concerned had gone out of business.

        Hell, we had a case where a company making AED's had gone down and another manufacturer was doing firmware updates for them, but couldn't write a replacement program to transfer the firmware because they couldn't work around the security measures on the AED preventing unauthorised tampering with the firmware. Solution? Keep an XP laptop in the cupboard with the original transfer software for the occasional updates.

        I'd imagine that most trusts with ~200 separate sites have at least one machine in this category that nobody wants to replace because it's absurd replacing a newish MRI machine just because the OS is XP. Who cares? It's only wired to the MRI and a printer.

        So if you say "90%" the NHS is STILL relying on XP then it's technically correct if you go by NHS trusts, rather than NHS sites, or NHS users. You could also say "NHS doesn't want to waste money replacing near new, perfectly working MRI machine." but that'd get you a less sensational headline.

        To put it into perspective, the business I work for is in the same situation. We have a voicemail system which runs on an application on Win2k. I'm the only person who knows or cares because it's only accessed by the users through their phones (by a bank of modems wired from the telephone system to the server in question) 100% of the staff use it daily, and we don't have any replacement plans for it other than "wouldn't it be nice..." as the business doesn't want to spend money replacing a perfectly adequate system just for the sake of it.

      3. Charles 9 Silver badge

        "Moving to Vista wouldn't help (that also goes end-of-life in April) unless drivers/apps work in later versions of Windows."

        I said Vista because that was the epoch point for Windows newer driver and program models. IOW, if a program or driver can work on Vista, odds are pretty good it'll work on 7, which IS still supported, and passing fair it can work on 8 and up because beyond Vista they didn't monkey too much with basic hardware driver models, and 8.1 and 10 reinforced desktop program support.

      4. John Smith 19 Gold badge
        Mushroom

        "There will be a lot of embedded systems with XP front-ends that just can't be upgraded "

        The joker in this pack is the patient information systems.

        What do they run on?

        And if it's XP only (in Administrator logon only of course) WTF are they still being used?

  7. AMBxx Silver badge
    Facepalm

    90% XP is the good bit

    The other 10% uses fax for communication,.

  8. Christian Berger Silver badge

    Why not Windows PE?

    Seriously it has all the features you need while consuming a low amount of system resources. There is no privacy concerns and it's even free.

    I mean with Vista everybody knew that operating systems from Microsoft would go downhill. Even Windows XP had some serious disadvantages over Windows 2000.

    One can also give this a totally different spin. Microsoft is charging money and system resources again for something they already delivered without providing any new functionality. They try to enforce them by refusing to fix any mistakes they made during the production.

    1. Chris King Silver badge
      WTF?

      Re: Why not Windows PE?

      "Seriously it has all the features you need while consuming a low amount of system resources. There is no privacy concerns and it's even free."

      You have GOT to be kidding. It's not meant to be used that way, and it reboots after 72 hours of continuous use. Not the sort of thing you'd want to happen with a system monitoring a critically-ill patient.

  9. Cuddles Silver badge

    Now I feel old

    I was going to make a comment about how impressed I was that they've upgraded that much of their systems to XP, since when I worked in a hospital not much less than 15 years ago there were still plenty of 386s running Win 3.1 around. But looking at the dates, that's actually basically the same - 15 years and 3 Windows versions out of date. So rather than joking about how I thought it would be worse, apparently it's exactly as bad as I expected.

    That said, I wouldn't be at all surprised if part of the records system in that hospital still runs on a BBC-B. Although at least that has the advantage of not being at much risk of hacking.

    1. psychonaut

      Re: Now I feel old

      i think you might be right about the bbc-b. i think its the one in my garage.

      mines the one with the 32kb ram soldered on

  10. bombastic bob Silver badge
    Linux

    'up'grading is overrated

    seriously, the whole 'up'grade thing [which is a DOWNgrade if it's to "Ape" or Win-10-nic] is highly OVERRATED. It would (likely) require new versions of things that people are familiar with OTHER than just Windows, and that includes HARDWARE too, most likely.

    It's a fair bet that a FAIR analysis of the situation might prove that a commercial flavor of Linux, if you MUST "up"grade the OS, would be a lower cost, longer term, TOTAL solution.

    Like THESE guys did at Ernie Ball over a decade ago:

    Rockin' On Without Microsoft (web archive)

    1. Anonymous Coward
      Anonymous Coward

      Re: 'up'grading is overrated

      Not sure what you are smoking, but it must be good shit.

      Small company - Ernie Ball, what maybe a few hundred people vs NHS 1.2 Million.

      Yeah like for like.

      Also your Linux system appears faulty, it seems TO BE "doing" random (things) WITH your characters when you TYPE]

    2. JamesPond
      Mushroom

      Re: 'up'grading is overrated

      "a commercial flavor of Linux, if you MUST "up"grade the OS, would be a lower cost,"

      It's a good idea, I did 18 months at Jaguar LandRover and whilst they were still using Windows, they had moved to Google Mail and Docs rather than MS Office and had retrained the users where necessary and it was saving them significant money. But TATA were in the process of investing £1bn. .

      The majority of users in the NHS are not tech-savvy, they will have never used anything other than Windows & Office either at work or at home. Try justifying to an NHS board spending money in the current financial climate to retrain thousands of users along with their MS certified IT teams to support a rollout of Linux, managing the disruption etc. etc. Plus a lot of proprietary systems such as Pathology and Radiology and GP reporting have clients that only run on Windows.

      The majority of the NHS will forever be Windows of one flavor or another, whether that is fat or thin client.

      1. Adair

        Re: 'up'grading is overrated

        @JamesPond - given the level of 'IT expertise' available to the average NHS staff member the particular OS they are using could hardly be less relevant.

        In my experience the vast majority of people only care about the actual software package they use; in the sense of 'care' meaning: are the buttons in the same place today, that they were yesterday, and do they do the things I expect them to do?

        Interaction with the system outside of that very limited scope is practically non-existent for most users, i.e. they have no idea at all how a computer works, and they don't care. All they want to do is get their job done.

        This is why so may folks find change in IT even more terrifying than other kinds of change---a computer might as well be a magic box as far as they are concerned.

        So, changing the OS? No big deal at all, the pain of change will be the same as if you changed the only software package they use day in day out.

        We've just had a whole lot of IT application and OS changes in our Trust. The screams could probably be heard from the Moon. That was six months ago. Today? It's the new normal, not even a whimper (well maybe, but only a whimper).

        1. John Brown (no body) Silver badge

          Re: 'up'grading is overrated

          "Interaction with the system outside of that very limited scope is practically non-existent for most users, i.e. they have no idea at all how a computer works, and they don't care. All they want to do is get their job done."

          Only 4 upvotes at time of this reply? I with I could upvote you more than once. This is absolutely the crux of the matter. Users DO NOT CARE about the OS at all. They use programmes to do their jobs. The vast majority of NHS staff would not even know the OS had been changed if the same apps were on the screen. The OS is usually locked down via policies anyway for their user access level so in most cases there's not even much, if anything, in control panel to play with, let alone anything else.

          Switching office packages would be a real ball-ache, especially for admin staff, but the front line staff just need the tools that work so they can do their job and some obvious way to launch the relevant app(s).

    3. Korev Silver badge

      Re: 'up'grading is overrated

      It's a fair bet that a FAIR analysis of the situation might prove that a commercial flavor of Linux, if you MUST "up"grade the OS, would be a lower cost, longer term, TOTAL solution.

      Rolling out a Linux variant wouldn't solve the problem of having running an obsolete unsupported OS in the long run if the NHS Trusts didn't upgrade the OS. They'd be having the same problem if they had a fleet of RHEL < 5 machines.

      Getting rid of legacy IT can be difficult if some essential software or hardware is not ported to a newer platform; we do still have some productive SGI workstations at my work....

      1. Charles 9 Silver badge

        Re: 'up'grading is overrated

        "Getting rid of legacy IT can be difficult if some essential software or hardware is not ported to a newer platform; we do still have some productive SGI workstations at my work...."

        And that's the point I was making. There are any number of devices that use XP or lower that either (a) cannot be upgraded at all, probably because the manufacturer went out of business taking their trade secrets to the grave, or (b) are such that the only way to fix the software issue is to replace the VERY expensive hardware. If upgrading is either impossible or too expensive, you end up with what I called a "stuck" machine. Think of it like someone holding an underwater mortgage (they owe more to the bank than their home is actually worth, so selling the home to close the mortgage is not an option).

  11. Andy The Hat Silver badge

    Security concerns?

    Chewing gum in the USB ports, WAN interface disconnected at the router, executables completely locked-down, any updates (unlikely) and data retrieval via one secure station and lo! A malware-free and secure XP network. As long as it has been running reliably it should continue to do so (give or take incompatible hardware *replacement* - not upgrade)

    It works for the UK education system ...

    1. Pete B

      Re: Security concerns?

      "It works for the UK education system ..."

      Thanks - I hadn't had a laugh today, but the idea that anything in the UK education system works to any acceptable level gave me a good one.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security concerns?

        The UK Education is often trying to deliver services to students / pupills on budgets that compare poorly to those available for employees.

        From what I have seen moving pupils too use mainly google-docs eases that burden a lot.

    2. Anonymous Coward
      Anonymous Coward

      Re: Security concerns?

      A department REQUIRES USB drive support because they routinely transfer files too big for the network (like high-resolution lossless imagery).

      WAN is bridged by a mole device that learns how to masquerade as one of the internal devices. Not unheard of thanks to MAC spoofing.

      Secure station keeps breaking down with deadlines to meet and lives (literally) at stake. People forced to find ways around it.

      The problem is that reliability can't always be assured, especially as the hardware gets older.

      1. JamesPond
        FAIL

        Re: Security concerns?

        "A department REQUIRES USB drive support because they routinely transfer files too big for the network (like high-resolution lossless imagery)."

        Sorry, that is simply not true. I work on PACS systems with studies that are normally GB's and sometimes TB's in size. These are routinely transferred across hospital LANs and are also transferred across N3 with no problem. A GB study can be retrieved from a remote datacentre and the first images displayed in <2 seconds (SLA) with the remainder of the images viewable within 20 seconds.

        Copying patient information onto non-encrypted USB drives is banned across the NHS and is seriously slower than LAN/WAN transfer.

        1. Charles 9 Silver badge

          Re: Security concerns?

          "Sorry, that is simply not true. I work on PACS systems with studies that are normally GB's and sometimes TB's in size. These are routinely transferred across hospital LANs and are also transferred across N3 with no problem. A GB study can be retrieved from a remote datacentre and the first images displayed in <2 seconds (SLA) with the remainder of the images viewable within 20 seconds."

          Assuming a top-of-the-line network. Bet you that's not the case in general.

          "Copying patient information onto non-encrypted USB drives is banned across the NHS and is seriously slower than LAN/WAN transfer."

          What about encrypted drives, then? Plus how do you enforce such a thing when time is precious?

          1. JamesPond

            Re: Security concerns?

            Assuming a top-of-the-line network. Bet you that's not the case in general.

            Every NHS hospital in England and Wales uses PACS of one flavour or another so they must all have reasonably decent network speeds, otherwise Radiologist's would be up in arms that they couldn't view studies and the CCG's would be complaining about reporting backlogs affecting patient safety.

            Therefore I fail to see the problem in network transfer. Certainly at the Trust's I've worked at, when there have been transfer speed problems, stopping traffic to bbc.co.uk / facebook etc. has had an appreciable positive impact.

  12. Potemkine Silver badge

    people don't want to pay tax

    +

    politicians want to be reelected

    =

    Infrastructure investments are postponed because not spectacular enough for voters

    => After a time when the current infrastructure is maintained with more and more difficulties it collapses. Then the infrastructure is rebuilt at a cost much higher than at first place because of emergency.

    After that, the whole process begins again.

    1. Charles 9 Silver badge

      That's always been the one failing of a government by any kind of popular agreement or consensus. Some of the humdrum necessities of civilization also happen to be very irksome: like taxes. Not to mention subject to considerable squabbling. It's only something existential in nature like a crisis that puts people together. End the crisis, and it's back to the squabbling. Humans appear to be more a tribal kind of animal under normal circumstances. Bigger than that, and we start seeing competition.

      An autocrat would have the capability to, as they say, cut the crap, but of course that has the risk of being subject to that person's whims. It's really a difficult thing to work out either way.

      1. Peter2 Silver badge

        The problem with this is that there isn't a lack of taxes being paid, or money spent.

        The problem is merely that the people in charge wish to spend the money on vote buying or big impressive projects to get promotions. They start said big project, realise they have ignored every bit of best practice and basic procedure out there and then get promoted out of that position before the entire mess falls apart under the weight of it's own mismanagement.

        The solution is to promote people on merit, ie. actually delivering completed and usable projects rather than for brownnosing skills. We might then see a reduction in multi billion pound projects failing.

        1. Charles 9 Silver badge

          "The solution is to promote people on merit, ie. actually delivering completed and usable projects rather than for brownnosing skills. We might then see a reduction in multi billion pound projects failing."

          You forget. People LIE. And people BELIEVE lies. Given that, people CHEAT. And it's part of the human condition. You can't FORCE people to promote on merit, not even with the law. Disagreeable laws are just ignored as ink on a page. Look at Prohibition.

          As long as people respond instinctively to the "What's in it for me" angle, you can't have the utopia.

          1. Anonymous Coward
            Anonymous Coward

            The solution is to promote people on merit, ie. actually delivering completed and usable projects

            If only, I've worked with several senor managers at NHS Trusts who were 'promoted' because they were incompetent and the only way their previous manager could get rid of them was to support their promotion to somewhere else.

            Other than cost saving redundancies, once you have a permanent role in the NHS, you pretty much have to kill a patient to get fired. I don't think I've ever seen anyone fired in the NHS for incompetence.

            1. John Brown (no body) Silver badge

              "you pretty much have to kill a patient to get fired."

              I've heard claims that even that won't get you a reprimand, let alone fired if you are in the "right" job and well entrenched in the "old boys network".

              1. Anonymous Coward
                Anonymous Coward

                Killing somebody (more likely to be described as something like "missing opportunities that may have contributed towards the survival of a critically ill patient") is unlikely to be seriously investigated unless a lot of people are screaming loudly enough about it. Even if their manager comes out and says that they are dangerously incompetent then what would actually happen is that they would get put on an improvement plan instead of being fired.

                This means that the staff member gets somebody else from the department trailing them around until they either don't make any mistakes for long enough or make massive and (provably) lethal mistakes in front of several people.

  13. Dan McIntyre

    Wow! The trust I work for is in the top 10%. We don't have any XP machines any more. Cool.

  14. Anonymous Coward
    Anonymous Coward

    I work in the NHS

    We planned ahead and were off XP before normal support expired, we still have 6 XP machines but all are on a LAN which isn't physically or virtually connected to anything else, in utter segregation from the outside world whilst we wait on the supplier finally updating their clinical system to support Windows 7, which we intend to move from in the next couple of years.

    Problem is 1. nationally we keep getting systems procured with no legacy planning, no thought of forcing suppliers to keep with the current OS and dependency support requirements.

    2. Cost of MS licenses is going through the roof, we'd love to move to Linux but the staff training cost (you can deny it'd be required - but trust me it would be) and problem with national systems not being compatible is a huge problem.

    3. Everything is going cloud and there are still a lot of us who would rather steer clear but what can we do when all of our suppliers are only offering cloud based solutions, otherwise we stick with legacy clinical systems with no money to entice a development for a local solution which is up to date?

    Honesty I'm all for choice between trusts etc but this is getting utterly out of hand and nationally they've no a scooby how to fix it other than extend support arrangements and kick the problem down the road another year.

  15. MJI Silver badge

    It did not help that.

    MS broke a lot of compatalitiy with Vista onwards.

    Our old system runs on DOS based systems, 2000 and XP, our current system XP and on.

    XP can run more software than almost any other OS.

    This is why it refuses to go away

  16. Arthur the cat Silver badge

    My local trust upgraded a while ago

    Same week as a friend of mine was admitted for emergency surgery. I went to visit him, and found he was still in theatre, so I got chatting to the staff about the upgrade. "You see we have a lot of paper notes all over the desk, and the phone doesn't stop ringing" was the reply. It took them a month or so to shake everything down.

  17. Cynic_999 Silver badge

    So what?

    Software does not wear out. It will continue to do the same tasks today as it was doing 15 years ago. Many bugs have been found in that time, but if those bugs did not affect the operations 15 years ago, they won't affect the same operations today. There has of course been more malware developed, but that will only affect systems that are vulnerable to malware attacks - dedicated systems that cannot be seen on the Internet and don't get new applications installed won't get infected with malware. Besides which, malware that is being deployed today is far more likely to be targeting more modern OS's anyway.

    So yes, it is bad if the PC's in question are directly on the Internet and/or having new stuff installed, but for PC's on a secure closed network or no network that are used only with original dedicated applications, it really doesn't matter how old the OS is. Some of my CNC machines are running the same OS (usually a Unix variant) that they were supplied with 25 years ago, and I have a Windows 3.11 PC I use very occasionally to make changes to old FPGA designs because the CAD software will not run on anything later, and the more modern FPGA CAD applications can't read the original design files (and probably don't support long obsolete Xilinx chips anyway).

    What would you like to do? Spunk £billions of taxpayer's money on 1) upgrading hardware, 2) buying new OS licences, 3) contracting a software company to re-write all your bespoke applications for the new OS 4) Re-training staff for the inevitable differences in the way it works and 5) compensating for the inevitable delays, bugs and screw-ups?

    Sometimes the saying, "If it works, don't fix it" is very relevant.

    1. Rural area satellite.

      Re: So what?

      If it works don't fix it in itself is a heathy approach, but it should not absolve management and owners from planning for change. If they do not the bill is simply served later on. The fnancial and human cost of locking operations down to only repairing and "keeping running" are high.

      It is evident that malware-makers (particularly crypto-lockers) are already targeting hospitals.

      When crooks blackmail your hospital into paying to unlock XP boxes are you going to ague that "if it ain't broke don' fix it". Malware riddled environments open up hospitals to seeing their higlly confidential data being siphoned off.

      1. Charles 9 Silver badge

        Re: So what?

        Plus you can never completely isolate a system. After all, there MUST be a way to transfer information in or out or it's useless as a device. As long as method exists, a method can exist to infect it. Not even Sneakernets are immune.

        1. Cynic_999 Silver badge

          Re: So what?

          "

          After all, there MUST be a way to transfer information in or out or it's useless as a device. As long as method exists, a method can exist to infect it. Not even Sneakernets are immune.

          "

          The I/O can consist entirely of keyboard, VDU and local storage, it does not have to include a plausible attack vector.

    2. Stevie Silver badge

      Re: Software does not wear out

      Does if you connect it to the internet. Two or three updates and it's threadbare and full of holes.

      1. RW

        Re: Software does not wear out

        I switched to Linux, Ubuntu 8, in 2008. It was interesting to watch Firefox fail to work with a greater and greater number of websites, particularly those who had converted to HTML5 for video support. Of course, I finally had to get a new computer (with Mint LInux 17) so I could still go a-youtubing, but now I keep seeing websites using only Flash for video.

        The more things change...

  18. Gis Bun

    How modern!

  19. Stevie Silver badge

    Bah!

    A triumph for the Windows 98 migration team, then.

  20. Ken Hagan Gold badge

    Amortisation, anyone?

    Anytime you buy some equipment, you should ask yourself when it will become worthless (at least for accounting purposes). To a first approximation, that happens with the expiry of either the hardware, the software or the vendor. It sounds like the hardware is still going strong in these cases (or is readily replaceable in the case of desktop PC systems) and so your main worries are software and vendor.

    Someone selling you kit and agreeing to share the design and all source code, with an agreement that says you can use that information either if the vendor disappears or if you think the vendor's support offering is too pricey, will immediately have an expected lifetime of N-times longer than the schmuck who sells a closed system. That makes it N-times cheaper than the (closed) competition.

    If your bean counters are doing their job properly, that should mean that an organisation the size of the NHS basically need never get into this sort of situation again. Indeed, any use of a closed system should immediately raise suspicions of corruption and back-haners, since it is so vanishingly unlikely that the deal is being costed fairly.

    Afterthought: A private sector organisation has to consider a fourth possibility, the expiry of itself. That might present a compelling argument for something that is cheaper this year and we'll worry about the costs next year. Countries tend not to go bankrupt, even when they run out of money, so they probably *shouldn't* be worrying about that fourth possibility.

    1. Anonymous Coward
      Anonymous Coward

      Re: Amortisation, anyone?

      "Someone selling you kit and agreeing to share the design and all source code, with an agreement that says you can use that information either if the vendor disappears or if you think the vendor's support offering is too pricey, will immediately have an expected lifetime of N-times longer than the schmuck who sells a closed system. That makes it N-times cheaper than the (closed) competition."

      Not if the vendor raises the price tag too high or just refuses on the grounds of trade secrets. They probably don't trust you, and nor will any other vendor since they have trade secrets of their own to protect. Programs are closed for a reason. If NO vendor offers an open source but you NEED the new equipment due to an immediate need to replace (which is how it tends to go), what option do you have left? You've just pushed the demand curve beyond the supply curve, meaning they don't intersect, meaning an unsatisfiable market.

      Also, another problem is that the software can be obsoleted without warning because the software industry moves so fast. Did anyone predict at the time of Windows XP that we'd be at Windows 10 now? Probably not. It's not the king of thing that's easy to predict.

  21. Anonymous Coward
    Anonymous Coward

    Move On Folks, Nothing Of Surprise To See Here

    As someone who used to work in a permanent role in NHS IT until made redundant, I can tell people reading this that the trusts in question simply don't have the resources to do anything about it. IT support in the NHS is a daily reactionary process, fire-fighting, if they manage even that. In most trusts it is regarded as a necessary evil, an unwelcome financial overhead, in terms of hardware, software and staff support. If they are still running XP it means the PCs in question are probably incapable of running any other version of Windows and don't have the staff resources or the financial means to outsource upgrading as a project anyway. In the county I worked in, only one Trust out of the four had a rolling replacement programme. Of the other three, only a number of months ago I learnt that one of the teaching hospitals was still running XP, even though they had outsourced IT support to the IT services arm of a really world-famous IT company. Apparently the expectation was that support would be cheaper and better than a continued in-house operation, but if they actually saved any money none of it was re-invested. This was a hospital that once applied for Foundation Hospital status.

  22. YARR

    When cheap disposable PCs / tablets can be had for little more than £100 it would make sense to let local trusts buy their own PCs strictly for internet access while all internal systems run on separate hardware which never touches the internet so doesn't have to be continually upgraded.

    1. Charles 9 Silver badge

      Except you never know when someone makes an effort to BRIDGE the devices, perhaps by a MAC-spoofed mole. Remember, not even Sneakernets and airgaps are immune.

  23. Instinct46

    Decent People

    How about instead of trying to pay naff money for naff tech people, they pay decent money for decent tech people... that way they don't have to keep binning billion pound projects, because they've not even come close to accomplishing the task at hand...

    A database which is accessible and easy, ... pay experts e.g. facebook, pay experts on what makes things easier e.g. the doctors they already have and not "experts" which haven't worked a day in a hospital e.g. health care ministers.

    1. JamesPond
      Thumb Up

      Re: Decent People

      How about instead of trying to pay naff money for naff tech people, they pay decent money for decent tech people.

      Excellent idea, unfortunately the NHS and in fact all public bodies have gone the opposite way. Just look at the BBC and the furore about paying talent their worth.

      In the NHS for example, Monitor has halved agency fees to the point where agency resources now get the same pay as permanent staff. Whilst you can argue the merits of utilizing agency staff all day long, halving pay means you are not going to get the same calibre of short-term staff to fill gaps. Why would any agency worker worth his/her salt, who doesn't get sick-pay, holiday pay, final salary pension etc. etc. work for the same pay as a permanent member of staff who gets all these benefits? They are asking the flexible, usually highly motivated and well trained agency worker to take all the risk for none of the benefits.

      This becomes a false economy because a lower calibre of staff means work gets done either badly or slower, or both.

      And with Brexit, this is going to create a perfect storm where agency staff are not willing to work for a pittance and they can't 'import' resources without significant barriers of immigration limits and visa requirements.

      1. Anonymous Coward
        Anonymous Coward

        Re: Decent People

        "They are asking the flexible, usually highly motivated and well trained agency worker"

        Hahahahaha. Hahahahaha. Hahaaaha. With the exception of one individual the agency staff I have worked with in the NHS over the years have been useless over paid wastes of space.

        1. JamesPond

          Re: Decent People

          You've met nurses and clinicians who don't know what they are doing? Then they should be struck off.

        2. Anonymous Coward
          Anonymous Coward

          Re: Decent People

          "They are asking the flexible, usually highly motivated and well trained agency worker"

          Hahahahaha. Hahahahaha. Hahaaaha. With the exception of one individual the agency staff I have worked with in the NHS over the years have been useless over paid wastes of space.

          Unlike the demotivated, untrained, mostly useless permanent IT staff I've worked with in a dozen NHS Trusts then.

  24. ecofeco Silver badge

    You have GOT to be kidding

    Is this report authentic? Oh sweet pogo chocolate Jesus, WTF?

    1. John Brown (no body) Silver badge

      Re: You have GOT to be kidding

      Is this report authentic? Oh sweet pogo chocolate Jesus, WTF?"

      No, it's click-bait.

  25. x 7 Silver badge

    I'll try to put this into context

    I've just completed a crash migration of around 500 XP machines on a hospital site (they were the remaining few from around 4000). Of that 500 around 60 could not be upgraded for various reasons of compatibility. Almost every machine had a different issue, some examples of what were found as incompatible:

    Switchboard software

    Security camera controlling software

    Power / light management

    Temperature control sensor suite in catering, and in pharmacy

    Engineering stock control

    Medicine-specific labeling software

    Security badge printing

    X-ray viewing equipment

    Various medical scanning / imaging gear

    Car park barrier management (and payments)

    Numerous automated lab machines

    Print server for ancient dot matrix printers (payslips)

    Many bespoke databases written in the year dot using Access 97/ Delphi / Borland / VB5/6........

    Ancient commercial software packages that are too expensive to replace - or for which there isn't a direct replacement (e.g. blood glucose analysis)

    Hardware for which Win7 drivers don't exist (e.g. a couple of expensive Samsung high capacity scanners)

    Call monitoring

    Emergency pager message sending

    Out of date cashier/till systems for which there's no replacement budget

    and the list could go on and on............

    Yes, some of these are easy to fix given a budget. But there's no budget. And the key point is only around 60 machines out of around 4000 are affected. I believe the basic premise of the story is wrong: most NHS trusts are well on the way to replacement, but are stuck with a hard core of machines which are an expensive PITA to do anything about

    1. Rural area satellite.

      Windows was promoted as a cheap solution for which there were ample developers available. One may wonder how good value these machines are in the long run. For some solutions (label-printers, pager-message sending) one may wonder if there are no other solutions.

  26. Anonymous South African Coward Silver badge

    And virtualizing XP does not always work, especially when XP need to communicate with certain hardware - and most hypervisors are not OK with that.

    1. Charles 9 Silver badge

      Custom hardware simply cannot be virtualized since their very function is considered a trade secret; you can't virtualize what you don't know. Thus we have the story of that computerized lathe that runs on XP because Vista and up doesn't support the ISA bus anymore and the lathe is controlled by a proprietary controller (trade secret, remember?) fitted to an ISA slot on the computer. Can't be upgraded due to that ISA card, and the lathe is still pretty young (meant to last decades and is still being amortized, so you can only cross your fingers.

      And depending on the direction hardware takes in future, this may become more common rather than less, given that most ARM SoCs are built with fixed hardware in mind and therefore are more likely to use hard-and-fast memory maps rather than any kind of enumerating bus (USB being the possible exception).

    2. Paul Cooper

      As other have said, it's the issue of direct interaction between hardware and software that is the killer. Many moons ago, we had an expensive stereo-plotter (a device for analysing stereo-photographs). It was vital for our operations for many years. Snag was that a) it was built and maintained by a tiny company and b) the operating software (which was written by a one-man band) REQUIRED direct access to hardware ports, and this couldn't be worked round because some of the timings were critical. The software ran on MSDOS, so it could have access to hardware interrupts! And as time moved on it became harder and harder to move data from the stereo-plotter to our main network. Eventually, we reached the position where completely software based solutions were available and cost-effective, and at that point we retired the kit. But of course, hospitals are full of kit where a complete software solution isn't feasible, and many of the more specialized bits of kit, even ones with a big price-tag, are produced by tiny companies. I'm actually surprised that XP is the earliest OS in use; I wouldn't have been at all surprised if it was a DOS version.

  27. Anonymous Coward
    Anonymous Coward

    The fault is the operating system

    It's one job is to run applications. That's it. If every 3-5 years the version of os is changed and in the process breaks all the apps that ran on it before, what is the point of it.

    So the point must be to make money for the os vendor. They have no interest whatsoever in building an os ecosystem that keeps apps working.

    Like others have said - no-one gives a shit about the os. They want it to get the hell out of the way so they can use the apps they want to use with as minimal change as possible on how to start them.

    1. Charles 9 Silver badge

      Re: The fault is the operating system

      Clarification: It's main job is to allow the user to run applications. If one only needed to run applications without user intervention, then you can get away with something simpler like a scheduler. Only thing is, users have a wide range of aptitudes. Many need help (the ones who wouldn't know a network fob from a thumb drive), and you have to cater for them. And their #1 priority, the #1 priority of ANY job, is to COMPLETE the job. All else comes secondary. And no, you can't always train them, and if you raise your standards too high, you run the risk of no takers. And remember, medicine and computers aren't necessarily highly overlapping fields of expertise.

    2. David Roberts Silver badge

      Re: The fault is the operating system

      There is one small problem there.

      The usual expectation for an OS is to make a one off payment (not too expensive, obviously) and then have open ended free support. People also generally expect to pay for a software package and just keep using it.

      Beyond a certain point this is not a finacially viable model for the supplier.

      Tough, you say, that's their problem the money grubbing bastards.

      Eventually it is the users problem when the supplier can no longer afford to support the software and/or goes out of business.

      The tactical approach is to spend as little as possible this financial year (see all industries which rely on infrastructure). Bonuses reflect cost performance in the current year.

      The strategic approach is to budget in this and every future year for ongoing infrastructure maintenance including (with software) support, migration, update and escrow of the software including the supporting hardware and the build environment.

      Good luck with the business case (nuclear, railways, roads, navy.......specialist computer controlled hardware..... ).

      1. Charles 9 Silver badge

        Re: The fault is the operating system

        So how do you handle long-term business needs in a world full of short-sighted, penny-pinching investors and executives?

        1. Aladdin Sane Silver badge

          Re: The fault is the operating system

          SaaS

          1. Charles 9 Silver badge

            Re: The fault is the operating system

            Um...given patient confidentiality mandates, how do you do SaaS without breaking those mandates?

            1. Aladdin Sane Silver badge

              Re: The fault is the operating system

              Very, very carefully?

        2. RW

          Re: The fault is the operating system

          You take care to send them emails (of which you have printed hard copies) pointing out the mistake they are making. Use exactly the phrasing you used in your post, go ahead tell them that their penny pinching and short sightedness mean long term business needs are not being met.

          At least then you have covered your own ass when the wheels fall off.

      2. Roland6 Silver badge

        Re: The fault is the operating system

        The usual expectation for an OS is to make a one off payment (not too expensive, obviously) and then have open ended free support. People also generally expect to pay for a software package and just keep using it.

        Beyond a certain point this is not a finacially viable model for the supplier.

        That hasn't been the case in the commercial non-Windows environment where software was always priced as an upfront purchase cost followed by annual licence and maintenance/support fees.

        Whilst the PC world has expanded computing to non-traditional IT user groups, namely: homes and small businesses and has done so through a one-off upfront payment, when it comes to business'es the traditional annual fee model has been applied, even by Microsoft.

    3. RW

      Re: The fault is the operating system

      Remember, Microsoft makes a lot of money out of software churn.

      Where does that money come from? Right out of the pockets of their customers, including ones left high and dry by the latest release of Win.

      I am astonished (still, after decades of coping with Windows in different versions) that anyone would use Windows for mission critical apps, particularly life-or-death situations that are so common in hospitals.

      I run Linux myself at home, but I'm far from prepared to say that Linux is the solution to software churn.

  28. wyatt

    Sainsburys supermarkets still have XP in their stores as well. Sure there are lots of copies still in use due to legacy software that will never get replaced.

    1. Charles 9 Silver badge

      I've spotted a few other places that still use XP-based machines, mainly due to sunk costs and recent cycle changes that missed the boat. They won't be moving for a while yet, if at all.

    2. Chris King Silver badge

      "Sainsburys supermarkets still have XP in their stores as well"

      They're most likely XP Embedded Standard/POSReady 2009 systems, so they'll continue to get support until January 2019.

      1. Charles 9 Silver badge

        Re: "Sainsburys supermarkets still have XP in their stores as well"

        INCLUDING the back end machines which definitely AREN'T POS units?

    3. Vic

      Sainsburys supermarkets still have XP in their stores as well.

      A couple of years ago, I saw a bunch of Sainsburys checkout machines being rebooted.

      They weren't running XP. They were running 2K...

      Vic.

  29. MJI Silver badge

    Blame MS for writing a working OS with XP

    They produce an operating system which runs programs.

    A program I ran on my XP machine produces

    Unsupported 16-Bit Application

    then too much blurb for me to type in.

    The language was extrememly popular in the 90s for database applications, I know of at least one large hospital system written in it (I knew the head programmer).

    DOS 6.22

    MUDOS fine

    Real/32 fine*

    WFW fine*

    95 fine*

    98 fine*

    NT4 with some issues*

    2000 fine*

    XP fine*

    Vista 32 with some major issues*

    W7 32 with showstopping issues (NETBIOS)

    W7 64 no hope

    * running client server as well!

    W7 32 was killed off due to killing off IP support for the program which provides client server access.

    We do factory software.

    So what did we do in the real world?

    Vista - upgrade to XP, or run in a low resolution mode

    W7 - tough, we tried, at first use your XP PCs, later test our new Windows software.

    Huge DOS system, it took over 5 years to get into a viable WIN32 version. MS does not understand the software industry, you buy software to do a job, not because it is written in X.

  30. Defiant

    So long as you have decent antivirus software and don't use them to access the internet I don't see the problem

    1. Charles 9 Silver badge

      Malware can come in through other means (even the keyboard), plus your network could get accidentally (or maliciously) bridged.

  31. Anonymous Coward
    Anonymous Coward

    Given that legacy web apps that require IE compatibility are a large part of this problem - and one that also exists in other big industries (engineering, finance) - it surprises me that no one has developed a browser based on open-source code that emulates IE but runs on whichever OS is convenient.

    1. Charles 9 Silver badge

      If it were only that, you could stuff an XP/IE instance in a VM and call it a day. No, more often than not hardware is the real problem. It's also one of the few things you can't virtualize, especially where custom hardware is involved.

  32. Anonymous Coward
    Anonymous Coward

    I think there is a subtle difference between 90% of NHS Trusts being reliant on a small number of xp machines to provide services which they have yet to migrate. Versus 90% of NHS Reliant on XP.

    As someone who works in the NHS in IT I can say measures are always put in place where a decision is made to retain an XP device.

    For example if a security door management system was designed to run on XP and the company wants £40,000 to update the software to run on a Windows 7/10 or Server, or a new system is going to cost £100,000. Measures can be put in place at a much-reduced cost. Things like network segregation be it physical or virtual. Hard/Soft firewalls etc.

    As a public body we have to show value for money, and in some articles you praise the boxes which have been running in the corner for 20 years that no one has touched, yet kind of condemn the NHS if they even attempt to do something similar.

    I would argue I know of no NHS trust which has XP as its desktop of choice for the majority of its users. Most desktops and other end user devices have already migrated to Windows 7 or beyond.

  33. Anonymous Coward
    Anonymous Coward

    Win XP still has its uses

    Don't diss Win XP as that is the latest windows I can run on my ancient Thinkpad with only 256 meg of memory but also critically has a now nearly nonexistent 9 pin serial port. Of course that bad boy never goes on a network and is only used for testing instrumentation through serial (need it to be mobile).

    1. Charles 9 Silver badge

      Re: Win XP still has its uses

      And is there any reason it MUST be a genuine, physical legacy serial port and not a USB-based device?

      1. John Brown (no body) Silver badge

        Re: Win XP still has its uses

        "And is there any reason it MUST be a genuine, physical legacy serial port and not a USB-based device?"

        In some cases, yes. It depends how the software access the RS-232C port, timing, quality and comparability of the USB converter and it's drivers. Some work, in some situations. Some will work with some devices while a different one will work with other devices the first one won't work with . It's weird, maybe black magic is involved. In some case, the USB converter simply doesn't handle all possible cases of RS-232C signalling, especially for older 25-pin serial which may well need all those signals missing from the 9-pin ones. I've seen cheap ones which can barely do more than handle Rx, Tx and Gnd, using software handshaking only and fail completely if RTS/CTS is required.

        1. Vic

          Re: Win XP still has its uses

          It's weird, maybe black magic is involved

          Probably far more prosaic...

          RS-232 is defined as +3V to +15V and -3V to -15V, but many serial ports used to use ±12V, as those rails were readily available from a PC. And I've seen hardware assume that that is what it's going to get. Moving to USB adapters typically gives you ±5V, so such hardware can get mighty confused.

          Vic.

  34. SharkNose

    None of this surprises me. We have customers using old versions of an application we used to sell which ran in what used to be called Tandem NonStop hardware. Those same customers often keep those machines going by buying spares through eBay and the like. We are talking large high street businesses running relatively mission critical functions that have the ability to impact retail commerce throughout the UK if they stop working.

    1. RW

      "Relatively mission critical functions"

      Strike the word "relatively".

      As fate would have it, I was just thinking about the unnecessary use of "relatively" earlier today while out and about. The things one thinks about!

  35. abrogard

    I sympathise with the NHS.

    If you've got a platform that works stay with it. The continual changing of platforms is a major inconvenience or worse. For all that overall things get 'better'. In quotes because you need to consider by what measure.

    I still use XP. And win10 and win7. Because I have hardware that literally needs XP. And I have other hardware (and software) that needs win7 or 10.

    I get more speed out of XP on my Asus A8nSLI than I do from Xubuntu. I run an HP3150 on XP where there's no drivers for anything else.

    Note there's no drivers because they've chosen not to make drivers. Not because it is some sort of impossibility.

    So here at home I can see the planned obsolescence and I can see the pragmatic difficulties.

    Now the NHS has massive investment in critical software. I'm in Australia, I've seen the expensive debacles you can have with massive software installations especially when new. We had an enormous fiasco when the govt commissioned online Unemployment/Job Seeking software.

    And I used to be a programmer.

    Porting software to new OS's can easily become a nightmare. It is not a trivial exercise. Simply changing software to fit new printers can be a nightmare. Simply incorporating new reports can be a nightmare. And these nightmares cost money and time and inconvenience thousands or millions of people.

    Simply because software and hardware is old doesn't make it not fit for purpose. Move a lever by hand to achieve a task. Then put in a servo motor you switch on to move it. Then remote control that servo motor. Then put in a command centre that remotely controls many such motors. Then put in a command system that oversees everything.

    That's modernising. That's technological development. That's how it goes.

    At the bottom that lever is being moved, is all.

    We need to ask if we need all the rest of the 'development' and in the calculation we need to factor in the costs - including human cost in all aspects.

    We're not in a dreamland here. Look around, enquire, and see how many banks and such are employing software written in COBOL, still to this day. How many scientific institutes are using software written in FORTRAN. And so on.

    XP is not 'wide open to hackers'. That's typical media beat-up hysteria.

    NEW system are 'wide open to hackers' simply because they are new, untested for the most part. Hasn't history shown that very clearly? How many security updates in the first year of win10?

    All systems are 'wide open to hackers' because that's a phrase without adequate definition. A system apparently impervious to attack today, lauded and applauded, looks ridiculous tomorrow after a backdoor or an achilles heel is found.

    All systems are like cities on a plain surrounded by besieging armies, the hackers.

    All systems benefit by being isolated. Firewalls. Partitioning. Circuit breakers. Parts of a system that are not required to have access to other parts are ideally cut off.

    All systems benefit by RAID and similar philosophies.

    Tremendously sophisticated and complicated software/hardware systems with online criticality benefit from long periods of stasis wherein they are studied and improved and protected.

    Demand for constant change and thoughtless unnecessary 'improvement' brings uncertainty, unanticipated issues, complication and danger.

    I am totally on the side of the NHS and its managers and particularly its IT people.

    It is better that it remain firewalled behind a well understood XP system, doing what it does and doing it well with securities constantly strengthened while work goes on to develop a different and parallel system on some other platform, software and hardware, that can work in parallel once created and prove its validity by running without fault and impervious to hacker attack for six months or more.

    That's the way to go.

    It is a question of building another system.

    Not a question of attacking this one or the people that have built it, run it, protect it.

    1. Anonymous Coward
      Anonymous Coward

      "It is better that it remain firewalled behind a well understood XP system, doing what it does and doing it well with securities constantly strengthened while work goes on to develop a different and parallel system on some other platform, software and hardware, that can work in parallel once created and prove its validity by running without fault and impervious to hacker attack for six months or more."

      But how do you do that when you're not given enough budget for the job? It sounds nice given enough budget for a pilot plant but more often than not you're not given the resources until the existing machine breaks or you're given a "bridge too far" project: required to maintain an XP machine that, due to its fundamental function, MUST leave a gaping hole open but also can't be updated, meaning you can't defend it without breaking it, too.

    2. Anonymous Coward
      Anonymous Coward

      I'm sorry, but "XP is not 'wide open to hackers'. That's typical media beat-up hysteria." is naive. Keep XP well behind firewalls and preferably air-gapped. Once exposed and accessible XP attracts from the curious to the criminal.

      Many "from honeypot to bot" tests have shown that it does not take long.

      1. Anonymous Coward
        Anonymous Coward

        But what if it's Internet-facing but CAN'T be upgraded due to the software it runs not being supported beyond XP? So now you have a wide-open business-critical box that can be pwned at any time?

        1. Vic

          But what if it's Internet-facing but CAN'T be upgraded due to the software it runs not being supported beyond XP?

          No such machine. If it really needs to provide an Internet service, you put it behind a filtering proxy.

          Vic.

          1. Anonymous Coward
            Anonymous Coward

            "No such machine. If it really needs to provide an Internet service, you put it behind a filtering proxy."

            Oh? What if the very way you connect to it is the SAME way you pwn it? You can't replace it AND you can't filter it, so proxies are useless here. Worse, you may not have the budget for such a proxy.

            1. Vic

              Oh? What if the very way you connect to it is the SAME way you pwn it?

              Then you need to make your filtering proxy good enough to permit those connections that are desired whilst forbidding those that aren't. How best to do this depends on what the server is doing; a simple firewall might do the job, or you might have to write a custom server to proxy the dangerous one. But that is all detail: if the server can be pwned from the Internet, it needs to have no direct connection, and any connectiuons that are made need to be filtered. And there is no other way of doing the job.

              You can't replace it AND you can't filter it, so proxies are useless here

              You can filter it. You always can. It just might not be the most cost-effective way of solving the problem.

              Worse, you may not have the budget for such a proxy.

              Then you are too clueless to run a business. This is simple risk-planning.

              Vic.

              1. Charles 9 Silver badge

                "Then you need to make your filtering proxy good enough to permit those connections that are desired whilst forbidding those that aren't. "

                And if they're one and the same? IOW, a pwning attack can look too close to a legitimate request to raise your false positive rate too high and get complaints?

                "Then you are too clueless to run a business."

                Who says I'm running it? When you're told to DIE (Do It or Else), and there's no other ship to jump to, you come to realize a foundering ship is preferable to the sharks.

    3. Anonymous Coward
      Anonymous Coward

      "XP is not 'wide open to hackers'. That's typical media beat-up hysteria."

      Urm... maybe you'd like to take that comment back now?

  36. david 12 Bronze badge

    >Microsoft’s 15-year-old desktop operating system.

    It's not, of course, a 15 year old os. Window 5 is is a /16/ year old operating system. Or Windows NT is a /23/ year old operating system. Or WinXP SP2 is as /12/ year old operating system. Any one of which makes more sense that picking the release date of a 15 year old /trademark/

  37. Revelationman

    It really summarizes IT in general in the UK, do on the cheap, hold back as much as you can , blame IT for things screwing up , meanwhile the bean counters, and managers, are laughing at you,

    That is why many leave in the industry because of inept Managers, lack of proper spending, I will say IT in the UK is dreadful, just the very thought of companies still running XP is shocking, but there is many more places that continue to run a system that has pasted it's best before date.

    IT upgrades should be done every 3 years,

    1. Anonymous Coward
      Anonymous Coward

      "but there is many more places that continue to run a system that has pasted it's best before date."

      Odds are, it also absolutely CANNOT be replaced. At all. What then?

    2. Rogue Jedi

      IT upgrades should be done every 3 years,

      a few years back I was working in a school, and there were IT upgrades every 3 years, the "most important" computer rooms had there PCs replaced every 3 years, those 3 year old PCs were then put in the lower priority rooms, and 3 years later in the lowest priority rooms, at about 9 years old they were (usually) retired.

      Unfortunately the lowest priority rooms tended to be the ones which ran things like Computer Aided Design packages, which did not like the 6-9 year old hardware, while the highest priority areas were the rooms used for ICT lessons (head of ICT was also the network manager, so set the priorities) now ICT mostly being the MS Office suite did not really need the most powerful PCs but the current years versions of AutoCAD and Solid Works were more resource intensive but of course CDT did not have the budget to purchase new PCs every few years.

      Most of the computers were updated to Windows 7 in 2012 but when I left in early 2015 we still had about 40 PCs (out of about 750) running Windows xp because there was no Windows 7 compatible network driver available for them

      1. Anonymous Coward
        Anonymous Coward

        Re: IT upgrades should be done every 3 years,

        I wonder what we will look back on in 15 years:

        a. "Rolling" Win 10 will have eliminated some delayed upgrades, but many "solutions" that communicate directly with hardware and have other strange software choices will not be able to upgrade. Becasue of the effects on the security they will still need to be firewalled and preferably airgapped.

        b. Some devices will have gone IoT with updateable/patchable OS and meeting security standards to communicate with databases and allowing the writing of log-data to the cloud. But the percentage will be lower than one might hope.

        Then again, maybe all medical staff will be uiquely identified by NFC based stuff and wil get access on many devices to integrated backends full of useful information while the medical equipment writes to the cloud for logging, billing and accurate filing.

  38. Anonymous Coward
    Anonymous Coward

    They could test a few machines from various departments with Linux, if it can save money, then why not, in fact, you can run Linux on lower spec machines, this will save money on hardware upgrades, especially with the NHS with all their money struggles,this should be option they should test,

    1. Charles 9 Silver badge

      Unless, of course, the software meant to run on them has no Linux equivalent which is usually the problem. Many computers get stuck on XP because either the required software or the hardware have no support beyond XP, creating a stranding situation.

  39. RW

    A better analysis

    The correct summary of this event: NHS tells Microsoft to stop changing API's and UI's when it's not necessary.

    Microsoft, of course, keeps changing what doesn't need changing because they make money from software churn. That this imposes the high cost of employees endlessly having to crawl up new learning curves is something Redmond simply neglects to mention.

    There is also the cost of re-writing custom software.

    Part of the theory of biological evolution says that most viable mutations are small because most organisms are already so well adapted to their environments that very little improvement is possible. Any large change will probably (n.b.) be for the worse. The same is true of mature, tried-and-tested software. Like WinXP.

    Bill Gates needs to stop hoarding cash and accept that the personal computer market is now mature, so profit levels will not be what they used to be.

  40. Mike Friedman

    There's absolutely no excuse for this.

    I can't believe that 90% of NHS Trusts have some app they cannot move off of Windows XP. This is sheer laziness on the part of IT staff. Yes, doing a huge migration project is a pain in the as, but now you're really in the fire. I'll bet you their backups suck as well.

    1. fredj

      Re: There's absolutely no excuse for this.

      Anything done in a health care situation may have to be FDA approved even outside the USA if the application has a wide usage. Now add that cost to your computer budget.

      Very few IT staff can write end user code and you can bet it is not part of their job description.

  41. fredj

    With working life of experience of computers from when a gui was two red leds and a teletype..........

    Most people work at a pay grade as high up as they can get by leveraging their whole brain to support a job and acquire enough skill to keep the job and have a life as well. That is fact. They do not include becoming a Microsoft jockey in their life statement.

    I worked with scientific instruments in laboratories so I have forced myself to know about computers as control devices and later on as data storage and information handling enablement. At the same time I have done my utmost to avoid becoming a microsoft jockey. Doing that is a total waste of my real skills as a scientist. In fact, if I have worried about computers, it is to make them work and I can write software for that purpose. Microsoft has been a drag on everything I have ever done but. It was like a deal with the Devil to get my pay checks. They have been a major cost centre in every project I have ever worked on.

    Imagine a doctor/nurse/policeman/armed services soldier and so on. What possible interest have they got in Microsoft when they can do what they need to do with a pen and paper? Their bosses may well be very interested in big data collection and analysis but again none of them want to become microsoft jockeys either. They are not being paid for that.

    As for linux! It is only in the last five years that I would ever have considered using it seriously in a general work place environment.

    Interestingly mobile phones may be the salvation of networked computing. Users can just use them with a web interface. The phone and the server support can then be managed by microsoft or linux jockeys and the mobile phones can be junked every three years or be fully software updated remotely. Non jockeys will be free of the microsoft curse for the first time in half a century. Their relief will be much the same as having WCs installed in their houses.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019