End-of-life for Windows 7 is scheduled for 14 January 2020, but the operating system remains prevalent in the NHS.
As of 30 June 2019, 1.05 million NHS computers were still using Windows – around 76 percent of the NHS estate – according to a parliamentary response provided by Jackie Doyle-Price, who was minister for mental health at the time.
On 14 January, Microsoft will stop providing the security patches, updates or technical support for Windows 7 that help protect their users from new malware attacks, which hackers could be holding back until the deadline passes.
The risks of these are particularly acute for the NHS, as the 2017 WannaCry cyber attack exposed. The ransomware affected at least 80 out of 236 NHS trusts, forcing the cancellation of around 20,000 hospital appointments and operations, and prompting five A&E departments to divert their patients to other hospitals.
Jo Platt, the Shadow Cabinet Office Minister with responsibility for cybersecurity, called the continued prevalence of Windows 7 in the NHS “deeply concerning”.
“The WannaCry cyber attack two years ago starkly proved the dangers of operating outdated software,” she said. “Unless the government swiftly acts and learns from their past mistakes they are risking a repeat of WannaCry."
In April 2018, the Department of Health and Social Care announced a deal with Microsoft that would give NHS organisations free access to Windows 10, but the migration has nonetheless proved challenging for many of them.
NHS organisations typically have tight budgets and staffing constraints that make it harder to upgrade their operating systems than it is for large enterprises. In some cases, the operating system might be too advanced to run on NHS computers and servers.
They are not alone in their struggles. Windows 10 was released in 2015, six years after Windows 7, but didn’t surpass the global market share of its predecessor until December 2018, according to research by Net Application.
“The reasons behind this lag vary depending on the software in place, which may be unable to run on the newest OS versions, to economic reasons and even just down to habit," Alexey Pankratov, enterprise solutions manager at Kaspersky, said in a statement.
"Nonetheless, an old unpatched OS is a cybersecurity risk – the cost of an incident may be substantially higher than the cost of upgrading. This is why we recommend that customers migrate to supported versions and ensure that additional security tools are in place during the transition period."
Overcoming the challenge
The memory of WannaCry has been a driving force behind a comprehensive migration plan at NHS East and North Hertfordshire CCG.
“One of the big challenges with WannaCry was people were still on Windows XP, and when you're on the older operating systems, as an IT service, it becomes much harder to patch an older out of date environment,” Phil Turnock, chief digital officer at the CCG, told Computerworld. “So it's important for us to get on top of that and to migrate to the latest operating system."
His team spent around 18 months planning and preparing for the migration, which included designing a new Windows 10 operating system with different versions for the different environments spread across the multiple trusts that come under the jurisdiction of the CCG.
This summer they started the deployment. They’re now around halfway through the migration, which is on schedule for completion by April 2020.
“We've had a very clear programme this year to push through the Windows 10 deployment," said Turnock. "What we've done in the background is scripted a lot of that so that we can actually push it out quicker in more of an automated way.”
Turnock has observed varied levels of maturity at different NHS trusts. His own CCG has around 9,500 end user devices distributed across a range of sites. Acute trusts tend to have smaller networks but they are heavily reliant on applications and processes.
Migrating these legacy applications can be a costly and complex process, particularly if they are business-critical and need to function immediately in any new environment. All of this needs to be accounted for in the migration plan.
“They've got a lot of legacy applications, which they need to factor in,” said Turnock. “Their desktop builds will often be more complex than ours. Ours are portions; we are fairly simple in terms of our Windows 10 build because we have less applications. We have clinical applications, but we don't have so many diverse clinical applications.
"The challenges that acute trusts have is they have circa 100 different clinical applications, which they've got to factor into their Windows 10 builds. That makes the planning more complicated.”
It can also make the process expensive. Sean Robinson, director at the licensing and software asset management specialists License Dashboard, offered the following advice on how to keep the costs of migration down:
- Leverage platform discounts in Microsoft Enterprise Agreements and the ability to pay over three years
- Subscribe to Microsoft 365 (which combines Windows 10, Office 365 and other software in one subscription)
- Use “App V” to stream software that is incompatible with Windows 10 (subject to very specific licensing scenarios)
Final preparations
If you are unable to upgrade by the deadline, the National Cyber Security Centre recommends some steps to minimise the risk of using obsolete platforms in its Obsolete Platforms Security Guidance, starting with preventing devices from accessing untrusted content and preventing access to sensitive data or services from vulnerable devices.
The 14 January deadline is also not quite as definitive as it appears.
In October, Poornima Priyadarshini, a senior technical programme manager at Microsoft, posted a blog explaining how some volume license customers can continue to receive security updates after the 14 January deadline.
“If your organisation is unable to complete the transition from Windows 7 Pro or Enterprise to Windows 10 – or from Windows Server 2008 and 2008 R2 Datacenter, Enterprise, or Standard to the latest version of Windows Server – prior to the end of support on January 14, 2020, we want to help you by ensuring that these devices running these select editions and versions continue to receive security updates while you complete your Windows and Windows Server upgrade projects,” she wrote.
These tips should not be read as a reason to delay the migration. The added security alone will be worth the effort and expense, and the migration will also leave the organisation with a more effective IT environment with the new features and future-proofed compatibility of Windows 10.
For further details on how to upgrade to Windows 10, check out our handy Windows 7 to Windows 10 migration guide