Windows XP's demise - sits back; opens popcorn

[AndyT]

The mainstream media haven't really picked up the NHS story yet, but it should be fun when they do.

E.

......
FWIW I think the blame for non-renewal of the Microsoft EWA belongs in the Cabinet Office rather than with the DH, at the time that they were very keen to be seen cancelling anything associated with the previous administration, whatever the consequences. IIRC there was some talk of a bigger pan-public-sector deal that the NHS would be able to take advantage of, but it never happened, as far as I know.

......

Are we sure that it was the Coalition? Labour were also in Govt in 2010 surely?

According to this report http://www.ehi.co.uk/news/ehi/6079 the MS deal was announced dead in July 2010; the government had changed in May 2010.

There was widespread dismay at the time that a relationship with Microsoft was being ended (having previously been praised as a success and extended) without any strategic direction to replace it.

 

[RogerS]

Thanks for the clarification and link, Andy, which makes interesting reading - especially some of the comments. However some of it is very unclear...for example

Because the NHS Enterprise-wide Agreement was for perpetual licences, NHS trusts will still be able to use most existing software and will still have access to Office 2010 Professional and Windows 7 Professional.

which seems to suggest that they can run W7 as part of the agreement. But then it goes on to say

But future releases of desktop, operating system and server licences will not be covered.

So does that mean security updates? I'm not up on MS nomenclature and so unclear on exactly what a 'release' consists of.

Leaving all that aside, although it does seem short-sighted, what could the DH have done..especially if support for XP was being dropped?

As ever, it comes down to lack of strategic thinking by politicians and (some) civil servants (I say some as reading posts above it would appear that some NHS Trusts have been forward thinking). That lack of strategic thinking applies to all political parties. Or maybe that should just read 'thinking' ?

It reminded me of several years ago, a Grade 5 civil servant in IND (now Border Agency) saw the film Minority Report and thought wouldn't it be a whizzy idea of have iris scanning at Points of Entry. He saw promotion and a glittering career path as he would have 'solved' the queuing problem at Immigration. So he asked his secretary to ring up Iridium to find out how much it would cost. She rang them and asked the question. Their (correct) response was to try and tell her that it wasn't that simple. That one had to consider all the other factors such as systems integration, change management, hardware procurement etc. The Grade 5 dismissed these factors. "Just tell me how much your software costs" he replied. So they did. And that was the figure that went into the budget for the project. Ho hum.

 

[Mark A]

I'm very surprised that people are still using XP.

I will admit, rather sheepishly, that we have three PC's running Windows XP: one home computer which works quite well, though it does become frustratingly slow when too much is asked of it; and two office computers, which are really on their last legs.

I'm inclined to listen to the opinions of the more computer-literate people on this forum than myself, however I will have to convince those who hold the purse strings is anything is to be done about it.

Could anyone explain in layman's terms the full implications if Microsoft ceases support for Windows XP so I can pass it on to the boss?

Many thanks,
Mark

 

[Eric The Viking]

Could anyone explain in layman's terms the full implications if Microsoft ceases support for Windows XP so I can pass it on to the boss?

Many thanks,
Mark

Shameless plug (twice): We have had two recent articles on the company blog about this,
this one and this one. Best read in that order.

Hope that helps.

E.

 

[AndyT]

Thanks for the clarification and link, Andy, which makes interesting reading - especially some of the comments. However some of it is very unclear...for example

Because the NHS Enterprise-wide Agreement was for perpetual licences, NHS trusts will still be able to use most existing software and will still have access to Office 2010 Professional and Windows 7 Professional.

which seems to suggest that they can run W7 as part of the agreement. But then it goes on to say

But future releases of desktop, operating system and server licences will not be covered.

So does that mean security updates? I'm not up on MS nomenclature and so unclear on exactly what a 'release' consists of.

I may be wrong on some details as I am trying to remember what other people were talking about several years ago, but Yes, if Trusts had used the agreement for their o/s licences, they can legally run W7 and get security updates, but only for their original number of PCs. They don't have any upgrade path to W8, 9, 10 etc. Similarly they can move their Office users onto 2010 but not 2013 or beyond.

The end of the central deal meant that the licences all need to be counted and accounted for, up to a fixed number and no further. Hospitals never have had "a corporate key given to them by Microsoft."

Some sites would love to upgrade to W7 but still have the problem that their central admin systems - overdue for replacement but not replaced - include outdated proprietary code that requires them to stick with an old o/s+browser on the PC. That is largely a result of neither the buyer nor the seller of those systems expecting them to still be in use so many years after they should have been replaced.

Somehow it is hard to convince taxpayers and press reporters that "Buying new computers" is a sensible and necessary thing for hospitals to do. Warnings from the IT department of the risks of delay can often be ignored or resisted, especially if set against sacking staff to pay for it.

 

[kdampney]

Mark - if (when) Microsoft ceases support for XP, they will stop doing security fixes for it. Which means that when someone finds a security flaw in, say, an obscure part of a messaging protocol that you never use but was installed by default, then they can exploit that to their hearts content. Probably anyone who exploits these things has a long list of what they could do, but are waiting 'til April to use them.

Hypothetically the risks are the same as any internet-enabled PC that is never upgraded - key-logging, monitoring your network, access to files, webcam, etc. etc.

As a previous comment stated, probably other software companies will stop supporting XP too from April (ours is planning to drop it), as the costs of updating and testing software on XP, Vista, 7 and 8 (and IE 6-8, which is all you can upgrade to on XP) is higher than just the most recent versions. Banks could insist you don't access their systems on potentially compromised operating systems, etc.

So best to upgrade. Slightly to my shame (as a software developer!), we still use XP at home, but won't be very soon!

 

[Paul Hannaby]

Mark,
The problem is something like this -

Currently, any holes in the security of your operating system (whether it is XP, Win7 or whatever) are plugged by Microsoft fixing the hole and releasing a patch in the form of a security update. After April, no patches will be released for XP so any new holes found in security will not be plugged, leaving you open to attack from malware, criminals after your bank details etc. etc.

This risk is compounded because later operating systems are largely based on the previous ones so under the surface, XP, Vista, Win7, Win8 share some components. This becomes a problem when, after April, if a new flaw is found in Win7 for example, Microsoft will release a security update for Vista, Win7 and Win8 but not for XP. This will serve to advertise the fact that the same hole may well exist in XP and those wishing to exploit it may be able to reverse engineer the Vista/Win7/Win8 patch to identify the hole in XP and use it to attack any XP machines.

It's up to you to decide if the risk is acceptable. Perhaps if you just surf the web and use email for nothing private or personal, having your PC security compromised wouldn't necessarily be a problem to you but if you shop online, do internet banking etc. you would be at risk of having your bank account and payment cards open to abuse.

 

[mind_the_goat]

I'd like to think that in a hospital the desktops would be sitting behind a properly managed firewall, on a server running something more up to date and a mail server with some degree of virus scanning.
This is less likely in a doctors practice but even then an up to date security suite would continue to provide some protection. Not saying it doesn't matter that there is no support but there should still still be some protection from external attacks. This assumes that the issue is with desktops only of course, in these environments one would expect all the important data to be on the servers (No, I don't really believe this is true).
Unfortunately I can't see a big public organisation like the NHS would be adopting Linux anytime soon, especially if they have a heap of proprietary software that only works on windows. It would have been a good time to do it as in my experience the move to newer windows and office versions do cause a productivity drop at first due to the changes in the UI. Moving to Linux would also do this but afterwards you are no longer reliant on Microsoft.

 

[AndyT]

I'd like to think that in a hospital the desktops would be sitting behind a properly managed firewall, on a server running something more up to date and a mail server with some degree of virus scanning.

Yes to all three of those.

 

[Eric The Viking]

There is an open source movement in the NHS.

There are a lot of positive noises being made, but very little actual investment beyond the middle management level(s). Or so I believe (and that's how it was at the beginning of last year). I think nobody wants to be responsible for yet another spectacular (failure).

There are far better informed people on here, and I welcome corrections to the above.

As to Linux desktops, it's really, really unlikely for the time being, although it would be very sensible long term. In primary care (GPs) the situation is a lot messier still. GPs generally still don't control their IT budget, and in my limited experience can be very poorly served indeed by people they have no management authority over. There's also a very unhealthy lack of competition in the specialist primary care software market here, in no small part because it's been politically unacceptable to use North American software over here (modified or otherwise). IMHO it's not under-investment but really poor upper management.

 

[Mark A]

Eric, kdampney and Paul Hannaby - Thanks for explaining it so clearly; I'll pass it on to my father on Friday. Convincing him to buy new work PCs may be difficult, however, as he still doesn't know what a virus is...

Mark

 

[RogerS]

.....
It's up to you to decide if the risk is acceptable. Perhaps if you just surf the web and use email for nothing private or personal, having your PC security compromised wouldn't necessarily be a problem to you but if you shop online, do internet banking etc. you would be at risk of having your bank account and payment cards open to abuse.

Or simply being taken over as part of a Botnet sending out spam to all of us or your computer being used in a DDoS attack.

 

[RogerS]

.....he still doesn't know what a virus is...

Mark

But I do hope he is running some good anti-virus stuff on his machine. If not then why not?

 

[RogerS]

Actually, this whole XP/NHS thing has raised some huge warning bells. Just how secure are doctor's surgeries, hospitals, health professional's laptops? Are they locked down ? I doubt it. So you're going to have all these XP devices where anyone can stick in their favourite bit of software downloaded from the internet. A compromised piece of software.

 

[Mark A]

.....he still doesn't know what a virus is...

Mark

But I do hope he is running some good anti-virus stuff on his machine. If not then why not?

I've installed Norton antivirus and Malwarebytes on his PCs.

 

[Eric The Viking]

Mark,

You may not need to replace the machines, unless they're quite old: upgrading the operating system to Windows 7 or 8.1 will do it.

 

[Eric The Viking]

Actually, this whole XP/NHS thing has raised some huge warning bells. Just how secure are doctor's surgeries, hospitals, health professional's laptops? Are they locked down ? I doubt it. So you're going to have all these XP devices where anyone can stick in their favourite bit of software downloaded from the internet. A compromised piece of software.

Yup... that's the nature of the problem, and probably why the DoH appear to be starting to panic.

 

[DrPhill]

Eric, kdampney and Paul Hannaby - Thanks for explaining it so clearly; I'll pass it on to my father on Friday. Convincing him to buy new work PCs may be difficult, however, as he still doesn't know what a virus is...

Mark

Hmmmm, if it is the parting with money that is the stumbling block then you could likely run a Linux on the same box instead of / as well as xp. Zero cost (well one dvd and a bit of download time). If you want to go this route someone here will burn the install dvd for you. That is the hardest bit if you live on ms-island.

I have been running without any virus protection for over two years now. I still do not know what a virus is. Actually, I do. We had one at work on our carefully controlled and monitored windows-based system. Not smug at all. Oh no. Really.

 

[RogerS]

Eric, kdampney and Paul Hannaby - Thanks for explaining it so clearly; I'll pass it on to my father on Friday. Convincing him to buy new work PCs may be difficult, however, as he still doesn't know what a virus is...

Mark

Hmmmm, if it is the parting with money that is the stumbling block then you could likely run a Linux on the same box instead of / as well as xp. Zero cost (well one dvd and a bit of download time). If you want to go this route someone here will burn the install dvd for you. That is the hardest bit if you live on ms-island.

I have been running without any virus protection for over two years now. I still do not know what a virus is. Actually, I do. We had one at work on our carefully controlled and monitored windows-based system. Not smug at all. Oh no. Really.

Trouble is, DrPhill, that there is a learning curve for the user interface surely? I have no idea how much of a curve that is but would suggest that it is perhaps not ideal for some users?

 

[Eric The Viking]

I've just done (most) of my first day's work ever using a Linux box. Not much different to Windows XP, at least not so I noticed. I may even stick with it on the desktop (had a different plan in mind).