Many of the systems that were hacked are still on XP because they are running a critical system that in incapable of being upgraded.
I have heard of some very expensive pieces of medical scanning equipment that are tied to XP. They cannot be upgraded without replacing the hardware, and you're not going to replace a medical scanner that costs a couple of million pounds when the one you already have works well is expected to still have another decade of use.
So why can't the version of Windows on the scanner be upgraded? Because the hardware drivers for it don't work with newer Windows versions.
They're stuck on an old version even after all this time because hardware like this goes through a years-long development and certification process before it even starts getting purchased by hospitals; upgrading to a completely new OS would also mean rewriting a lot of the core control software which means you have to start all over again with the certifications. And when hospitals do get to buy a piece of kit like this, they expect it to last long enough to pay for the investment. It's no wonder they're all still running XP.
But the problem is not so much that support was stopped for XP, it's that hardware like this should never have been based on XP in the first place. It isn't Microsoft's fault; it's the fault of the developers of the hardware. And frankly it should be they, not the NHS that should be the ones on the hook for making sure it is kept patched -- the lifetime support contract that the hospital signs with the vendor to look after the kit should include the software and operating system as much as the actual scanning hardware itself.
Biting the hand that feeds IT
