Thousands of patient records could be left exposed to hackers, as up to 20 NHS trusts have failed to put an agreement in place with Microsoft to extend security support for Windows XP via a patch, The Register can reveal.
The majority of trusts still operate Windows XP and have signed up to a £5.5m Cabinet Office agreement with Microsoft to extend support until April 2015. But 18 trusts – including some larger authorities – have failed to sign the agreement, according to 140 Freedom of Information requests responses sent to The Register.
Some trusts in England have more than 4,500 machines running Windows XP, with no security patches in place to provide protection, the FOI responses revealed.
In a letter headed "urgent action", the Cabinet Office notified trusts in April of its deal with Microsoft: "If you have not migrated away from Windows XP, Security Patch downloads will only become available to organisations once you have put a Premier Services Agreement (PSA).
"It is imperative that your organisation clearly understands the risk that is placed on it should the decision be not to take out a PSA," it said.
The deadline for the PSA was prior to the first full patch release on 13 May 2014.
David Harley, a former NHS IT manager who now works as a senior researcher with net security firm ESET, said it was impossible to gauge the full extent of the security implications of trusts failing to sign the PSA. The level of risk will depend on the context for which the machines are used, he said.
"If there is an internal network connection (even sneakernet), the risk increases, but that risk may depend on how many non-upgraded machines are on the network, the effectiveness of perimeter defences, the availability of suitable exploits to a potential attacker, and so on. An internet connection on a machine that carries sensitive data itself, or allows access to it, is probably most at risk," he said.
The ability to mitigate security risks will also depend on the competency of the individual trusts.
A total of 1.1 million PCs and laptops are estimated to be running Windows at trusts, GPs and other health groups that comprise the NHS in England.
But there are growing concerns that even trusts with extended Windows XP security support in place could be left vulnerable after May 2015, as they have not yet put a Windows 7 migration strategy in place.
Last week The Register reported that 74 per cent intend to have finished migration just before Microsoft withdraws extended support.
It is thought that some trusts may have decided not to upgrade to Windows 7 yet because it will involve a costly overhaul of applications which can only run on XP.
In its service manual last year, the Cabinet Office warned departments to consider the exit costs of their IT purchasing decisions: "You may find that you have become locked-in to a particular contract or technology. As part of your consideration of the total cost of ownership of a particular solution, you should have estimated the cost of exit at the start of implementation.” ®