NHS left with sick PCs as suppliers resist Windows 11 treatment NHS hospitals are being blocked from fully upgrading to Windows 11 by a small number of suppliers that have yet to make their medical devices compatible with Microsoft's latest operating system. Digital Health News reported this week that one supplier quoted the Rotherham NHS Foundation Trust £25,000 to upgrade a three-year- …
Which is where putting them in a DMZ comes in, with a carefully placed proxy to shunt sanitised requests across.
Which is how any non-bog-standard-office-PCs should be set up from day one (so no rush to seal them off at Windows EOL). But that would mean that suppliers would have to document the protocols, so could never happen.
It'd also need someone to think about security from day one and for one big customer (waves at NHS) to apply some pressure on the vendors, maybe with the help of government regulations. Hmm. I'm dreaming of a total fantasy world, aren't I.
The govt should have years ago called GP and dentists bluff - if necessary used their majority to revoke their licence to practice unless they agreed to what would have been sensible terms of direct employment.
Instead we have a pile of wasteful empires, reliant on dodgy statistics and swinging wildly every time a new study comes along, which undermines public trust in clinicians.
Where surgeons are not being held to best practice but instead "improving their current ways of working"
Where patients are being injured, disabled and killed by bad care, where it isn't reported and dealt with due to rigid hierarchies which enforce a "don't betray your fellow medical brothers and sisters' and "don't question your superiors" where hospital depts act like disconnected independent businesses in one building rather than a cohesive and holistic care system, where a patient with multiple health issues could and should be treated for them in one admission but instead they are admitted, treated or diagnosed with one thing, discharged, sent home if untreated to get worse, readmitted etc etc causing vast amounts of disruption to their lives, worse health outcomes, vastly increased cost to the health service.
When what should happen is that if a patient is admitted for something like an MRI - then instead of doing a tiny area - instead also look at high risk areas or the whole body.
Leverage technology to do basic processing to highlight any potential harmful signs and flag these to a radiologist(weighted where the system will flag something rather than not), fund extra training places and look at the training programs for radiologists (so you don't have lengthy courses filled with irrelevant nonsense because "oh it's related to medicine so they need to do large amounts.of the medicine course" - in other words to strangle the numbers of new radiologists, stymie attempts to cut waiting times in order to "keep some work for tomorrow, next week, next month", fight any changes to working methods.
If software on my slr is able to recognise various animals and focus on them then it surely is possible to build a more powerful IT system that could scan through large amounts of MRI data, flag anything immediately dangerous, flag things possibly dangerous, flag anything that isn't dangerous yet but matches a precursor and then recalls the patient for another scan at an appropriate interval. Therefore you would then cut the workload for clinicians, allow admin staff to focus on organising critical appointments and dealing with patients (particularly those who need extra support) while the system handles the basic stuff - patient at a familial risk, scan is clear, recall in a decade for example.
However the attitude is that empires MUST be protected and ranks closed to protect the organisation / trust even when patients are put at risk, denied care due to "lack of funds", where this lack is caused by waste and frankly stupid outdated attitudes, which are bad for patients, bad for hospital efficiency and bad for the public finances.
Also the right wing media (basically all of the UK media).would SCREAM about any rises to taxes, the BMA would litter the media with scare stories while glossing over just how many people are killed, disabled or otherwise harmed by their members every single year through incompetence, arrogance, wilful malfeasance etc.
Whole body MRI increases the time taken to acquire images between 2- and 5-fold. It also increases the time taken to report the acquired images by at least the same amount.
Then you get into the whole complex of consequences of any medical fishing expedition. That test you ordered that came back positive - what is its specificity? That test that came back negative - what is its sensitivity? False positives and false negatives are an unavoidably real thing. Acting on them exposes patients to new risks. The incidental finding of a benign but atypical-looking lesion, for liability purposes alone, means your doctor has to recommend a biopsy. Then you get an infection or a perforated viscus, because even perfectly competently done procedures have their complication rates. Rabbit holes get really deep really quickly in medicine.
You can have as good a health service as you are prepared to pay for.
Why would an embedded, single-purpose application such as an MRI or OCT scanner, or any medical diagnostic machine, be running Windows in the first place??
It's as daft as running Windows on an oscilloscope (and yes, many "high end" oscilloscopes, perversely, run Windows)
The only reason I can think of, is to guarantee more expensive service call-outs for the manufacturer.
You wouldn't put Windows in a car, you certainly wouldn't put it in avionics, and I wouldnt want it involved in anything where a BSOD really means death
Aw, that is just your prejudices. Since Win7 the stability got quite good. I had Server 2008 R2 with uptime > 700 days, and Server 2012 R2 (as hyper-v cluster) with both hosts uptime > 1250 days each. Until I came along and started Windows Updates, else they would have been running 'till decommissioned. A lot of equipment still run XP Embed, simply 'cause you can concentrate more on the software running and care less about the OS, and those machines get turned off at the end of the day. Haven't seen NT 4.0 and Win9x/3.x for quite a while, but they exist.
No, it's not prejudice, I say it for good reason, which is that Windows cannot be stripped back to only the bare minimum components. The first rule of anything safety-critical is that there should not be any features of the software which are not mandated by the requirements of the application.
Windows cannot run without a writable filesystem (even the oxy-moronic "windows embedded" needs to feign fs writes in RAM). It can't run without a VGA device, it can't run without a network stack or USB stack, it can't even run without a web browser.
Whereas Linux (or better yet, an RTOS such as Zephyr) can be compiled with the bare minimum of features. This is not just to save on resources, but to remove the possibility of failure modes hidden in unused (and therefore untested) parts of the system.
Yes one can embed Linux and trim it down to size. But despite the advances it’s still a faff. Yocto is pretty good but you still need to be reasonably expert. Whereas if a machine starts off as a PC on to which one can just install a regular PC OS then you’re less dependent on such expertise.
At least that’s how many people (CFO’s, project managers) see it. And they’re poorly equipped to see the whole cost. One has to have a really good reason to be able to persuade such people to invest properly.
There’s tools and OSes like VxWorks and Integrity that make it very easy to minimise the code around the needs of the application, and are way less faff than yocto. But they cost money, and CFO’s and project managers can’t see beyond the end of the development phase to appreciate the cost savings in support. Nor do they want to keep an expensive dev team on when the development is “complete”.
So far as I can see, it’s game over for embedded OSes in devices where a screen is a necessary component, and unfortunately it’s not anything to do with good technical choices.
For medical devices the fact that the FDA’s rules on software certification are nuts (related to the recertification costs for rolling out patches) simply translates into a ripe commercial opportunity for the manufacturers that isn’t their fault. (Caveat: it’s been a while since I was in that line of work and the regulatory rules may be more relaxed). The regulatory environment wasn’t ready for the advent of putting Windows, networks and USB inside and around medical devices.
Yocto itself is running out of steam I think. RPi has shown that actually a full fat Linux can be laid down on an embedded system fairly easily. And if you think the Pi is good, NXP do a Debian distribution for their range of Arm devices. One of those, a Layerscape something or other, is 8mm x 8mm and can run a full 64 bit Linux with 2 GB of RAM, takes 1 Watt. Why bother with Yocto?
"You wouldn't put Windows in a car, you certainly wouldn't put it in avionics, and I wouldnt want it involved in anything where a BSOD really means death"
Have you heard of Windows for Warships? That's not a joke. https://en.wikipedia.org/w/index.php?title=Submarine_Command_System#SMCS-NG_as_first_deployment_of_%22Windows_for_Warships%22
I remember watching a documentary several years ago about the sea trials of a new UK Navy ship which used Windows for Warships. They were running an exercise to simulate an inbound missile attack during which the Windows system crashed and took several minutes to restart - during this period their automated Phalanx radar controlled miniguns (intended to destroy such missiles) were left inactive. If this had been a real-life scenario then the ship would have likely been hit and damaged or destroyed.
I remember that episode well.
It's origins go back to how hard it was even then to assemble a good POSIX / Unix dev team, especially when "graphics" at the time on such platforms were mediocre whereas Windows was a lot more sorted (= still had shortcomings). Such systems (any that has anything to do with weapons targeting and release) are quasi-safety-critical, which cuts out an awful lot of established normalcy.
In modern parlance, frameworks like Electron would be a complete no-no, as were the equivalents of the day. Incidentally, you can see the impact of such restrictions today; the GUIs in the cockpit of an airliner or any military jet are pretty primitive.
As you've related, windows for warships turned out not to be a great success. However, I'm not sure we'd be any better off today. MacOS? Nope. Windows? Nope (see above). Android? Nope. Linux? Also probably no, at least not a mainstream distro.
In reality, a good choice is one driven by a careful and complete analysis of the requirements and deciding whether or not one has to tackle unknonwn / untrusted data from external networks or not. A closed-off non-networked system with no USB ports can afford to carry a lot of secrity related bugs and simply never get updated. A networked system either has to be very particular indeed in its implemenetation to be thoroughly hardened to attack, or have an active monitoring, update and patching system in place.
I used to be 2nd line software support leader for a DCS control systems mfr and vendor. We used to constantly get sales queries about customers asking how immune our system was to viruses/malware (this was 1987-2000). Once we'd stopped laughing, our answer was "we don't know of any malware written to run on [theOpSysWeUsed] *. It used to doubly amuse us as our issues at that time were mainly getting the durn thang to do what it should do, plus we also didn't see how malware could do anything evil without knowing the OS and architecture, which I think was selected to be as obscure as possible. Certainly no e-mail-or-web-vectored attack could work.
* the OS name would be giving confidential info away, not yet at the 30-year moratorium end yet!
It's a long, long time since I saw a BSOD. If I had to guess it would be on my dev machine at work as the result of me 'walking where there be dragons' eg; developing a device driver or making really silly IOCTL requests. I stopped doing that kind of work several years before I retired and consequently haven't seen a BSOD for likely over a decade at least.
The argument that you can't cut down Windows to just what is needed is valid - or at least there appears to be far too much that 'is needed'.
But BSODs are a thing of the past or the result of dodgy hardware that would likely cause a kernel panic if Linux was installed - or you'd hope so as the alternative is probably undefined behaviour.
I've seen BSODs more often, but only one reason: Intel 10 GBit "Server Quality" drivers on Windows Servers. They haven't fixed their crap for > two decade now. Don't try "VSwitch" (or Hyper-V switch) with more than one network card member, as MS promotes since Server 2016 -> Blue screen. I was lucky those crashes happened after about two minutes after login, so I could delete that vswitch. Other completely normal fun stuff makes Server 2012 R2 crash hard (mouse freeze, you don't even get a blue screen). RDMA? Never dared to try with those many bugs around. Imagine the other cluster node's network card writing directly into your memory. Faster that going through CPU, but, well, no. There are tons of other things (like advertised 1 GBit / 10 GBit optical cards, which only do 10 GBit), and it all boils down to Intel never getting their drivers really right, not limited to network cards. Imagine how successful intel could have been with good driver quality...
Yeah, that is the 25 GBit capable, which yet none of our customer needed - bottlenecks are somewhere else. No. Scorched earth with x710 (again). No trust.
Do you use the VSwitch to combine two or them for hyper-V cluster HA for the VMs, or the "older" bundling method avail since Server 2012? Current state (Server 2025, x710 cards): I did not get an BSOD like I still got in 2022, but after a few hours uptime communication starts to go weird with unexplainable packet loss when using the actually recommended New-VMSwitch + Add-VMSwitchTeamMember method. We had to HA in a different way - again (no bundling on host level at all this time).
This post has been deleted by its author
Because is far easier to code complex GUIs in Windows than in Linux. The only other alternative would be Apple, with even more lock-in.
People wokring with MRI and OCT scanner don't like a CLI - believe me. Nor they can often be coded in some webish framework and run in a browser. And frankly, they would risk even more compatibility issues with Linux than Windows - which has an excellent backwards compatibilty, unlike Linux. Ask those who can't use older NVidia cards because the new kernel can'r run older drivers.
There's a reason why the year of "Linux on the desktop" is still far, far away. And it will never come as long as Linux pundits believe a CLI is all you need everytime, and IDE/RAD are for lusers. The actual luser in this field is Linux itself.
Different needs than a scanning machine. You wan't your MRI shown in ASCII art. You also need fairly complex image manipulations, which in turn may neeed commercial libraries not available for Linux. And for these reasons you may have a large codebase written for Windows that would be complex and expensive to move to Linux. And WINE may not be an option when you have to talk to very specific hardware.
Yes, you can do it in Linux too - but it's far more compplex and expensive than in Windows and macOS, where the GUI is a first citizen and not something bolt-on using different windows manager and without a standard GUI library.
You may not like it, but that won't change reality. Linux is not the rigth platform for intensive GUI development for most companies - and there's also a lack of developers knowing how to deal with Linux stupid chaps in GUI development. It's not freedom of choice, it's plain chaos because there are too many cocks in the henhouse and achieving consensus on a standard API is impossible. Without Torvalds, I guess the kernel itself wuuld have become soon chaotic too.
Commercial companies like standards, they have no time to wrestle with chaos like basement nerds like to do.
Also, now MRIs and the like may be delivered together applications to display them - and those applications have a large chance of being run on a Windows ssytem.
Linux should adopt a standard GUI system API and a standard GUI libary - it would simplify also the development of good development tools for GUIs.
As long as Linux sits on is fat ass and just hopes Nadella finishes to kill Windows to become widespread on desktop systems it won't go anywhere.
I once hired a small car that turned out to be a Fiat 500 and was utterly horrified to see the Windows logo on a button on the steering wheel.
Nothing bad happened, to my relief. I'm pretty sure that it was just the in-car entertainment that was so afflicted.
-A.
You'd probably be surprised just how prevalent various flavours of windows are "behind the scenes"
The problem often is that the hospital doesn't want to spend vast sums supporting some bespoke system, so manufacturers produce something that will interface with the hospital windows network and so the software runs on windows, now it *may* run on windows 11 but given it's medically related then the manufacturer has to certify it as compatible with windows 11.
It would be no different if it ran on Linux, bsd etc and a new version / kernel came out and the manufacturer refused/failed to update compatibility to the new version and instead told you to "buy a new scanner" etc at x hundred thousand or X million - you could say "it'll work fine" but legal are going to tell you no way in hell due to how exposed you will leave the hospital, the insurers will deny coverage as there will be a clause covering operation of devices out with manufacturers approval
This is another example of capitalism gone rogue and generating vast amounts of waste because the drive is to sell new rathrt than maintain existing
Possibly not so silly as ecomstation have a surprising number of clients.
Surprising number of instruments in non safety critical environments were shipped with OS/2 and are still kicking.
Really, really hope cash machines are not just connected directly to the Internet! Even just a Teensy* board with IP & modem at one end and serial (to the main board running the UI) at the other would give all the protection they need, at less than the cost of a random "spew out all your cash" attack.
* (literally - and cheaper ones exist)
Have you not noticed that modern cash machines display adverts? Having briefly worked, several years ago, on the network security of an enterprise which included running ATMs, that mix of having a nice segregated network for PCI data with having to inject adverts for third parties was a right pain. I'm sure the additional cost of all the security controls was greater than the advert revenue would have been.
The impression the article leaves me with is that the trust bought equipment without asking itself basic questions like how long the kit was expected to last, what that meant for software support, and how those support needs would be met. So rather than this being evil or incompetent suppliers* the single and fundamental issue here is incompetent procurement that relied on an assumption that the suppliers would either offer the support free, or at most for a handful of beans.
I wonder if any lessons have been learned? /s
* Profiteering, yes.
Sometimes you just have to buy their equipment. I used to be responsible for a whole chain of Virology testing systems. Mostly test packages that would only run on the manufacturer's equipment. You are definitely at the mercy of the suppliers then.
The procurement was based on testing by Lab people who knew what kind of result accuracy they wanted/needed. The question of will it work with future iterations of operating system was way down their list. Mainly because if the companies wanted us to keep buying test kits then they would have to meet our conditions.
Which sounds naive, but in this field our previous expectation was that companies would work with us to provide patient care. Several takeovers later and suddenly the company is owned by venture capitalists out for profit instead of the idealists that developed the technology.
On the other hand, When the Rotherham Trust bought the kit running Windows 10, Win11 had already been released. So the supplier SHOULD have been already in the process of building support for Win11. And yes, I know certification can take a long while and be costly, but 4 years later and its still not an option says a lot of bad things about the supplier.
You are spot on.
I do work for a pharmacological companies. Some type of laboratory equipment are made by only a handful of companies and procurement sets out specifications that must be met and sometimes you're lucky to have more than one provider to choose from. There's an incredible array of devices in laboratory work. Ovens, freezers, spectrographs, particle counters, hygrometers and the results need to be stored for years, for both QA and RD.
Their software is - usually - garbage. The last time any development was done could have been 15 years ago. No support for LDAP (LDAPS - hah!), stupid character and length limitations for both user names AND passwords, no client-server model, poor/no encryption. Only thing they excel in is copy protection which makes it very hard to have a spare PC.
The simple rule is that if the device or a PC controlling it is connected to network then IT approval is required.
The same procurement problems are both in public and private sector, with the difference that when companies are doing bad investments the details are never public.
This is completely backwards. Much medical equipment doesn't actually *need* a general purpose OS. For it's entire life it will embody (to varying degrees) the mantra of 'do one thing, and do it well' (or at least 'do it reliably'), day after day, after day,...
Unless some significant bug is discovered there should be no question of 'updates', 'patches', or any of the random crap that afflict GP OSes because people keep mucking around with them.
As it is, kit that people are depending on to work reliably day after day is being held hostage to the vagaries of some irresponsible OS supplier who knows nothing about running 'medical equipment', and cares even less.
It's all about 'the money', the consequences of OS upgrades to users/patients are of no interest to the supplier of a General Purpose OS.
On that basis, equipment should be supplied with an OS that is effectively immutable, and certainly in such a form that money grubbing exercises (labelled as 'upgrades', e.g. W11), are irrelevant.
Blame the Project Managers. All they care about is "on time and to budget" (and impressing their managers), this is true no matter what the size of the project. Any governance issues are dismissed with a wave of the hand (which mostly work). I lasted a few months in a NHS trust until I realised their GRC was just pretend and "getting the job done" was legitimate reason to override policy (exception requests were just rubber stamped).
Not in the NHS trust where I used to work. I left four years ago and they had barely started rolling out windows 10 due to the project managers incompetence. They have recently started deploying 11 despite 10 not being complete and I know there are 95,2000 and XP systems facing the internet because the equipment they connect to is either fully functional so there's no money or impetus to replace it or the system is so deeply integrated into an in house developed application that has been around for such a long time nobody has any documentation and in some cases even knows who created it.
Current BOFH in [Redacted] Health Trust here.
We got caught last time around by the Win7>Win10 upgrade as there were a *LOT* of mobile devices that needed upgraded and only saw a proper Wifi network once in a blue moon (think old SIM cards with spotty 3g coverage and lots of very small shared ~5mbps pipes out into remote ambulance deployment points/stations). It needed a years ESU and some Supplier Defenestration to properly tackle.
This time around we did better - currently sitting with less than 20 low-priority devices left to get Win11 onto (all on track for completion within the next two weeks, so before November's Patch Tuesday).
We do have a few "can't patch, won't patch" boxes that are left powered off + unplugged and/or have been DMZed into oblivion. But those are mostly "must retain this information forever and no you can't migrate it onto supported hardware" scenarios or specialised medical kit.
It's definitely an uphill battle though. ENDLESS bloody audits and evidence gathering exercises are constantly preventing us from getting any actual work done.
The old Dilbert strip about "Lack of Resources" = "I want Daily Status reports until the situation improves" springs to mind.
The main problem is that we're haemorrhaging staff - been interviewing for new Band 4s/5s/6s recently and unless we can steal staff from other trusts; all we get applying are fresh-out-of-collegers or "IT Directors" from India.
(I consider myself very fortunate to have one reasonably-skilled tech and another fresh-out-of-college-but-keen bloke working under me whilst I'm in meetings playing "human firewall" between them and the Directors/Suppliers/Auditors/Regional etc. and occasionally threatening the Line Managers into getting their plebs to actually complete their supposedly-mandatory Cyber Awareness training; because they clicked the dodgy link for the umpteenth time in our Phishing tests and/or the Firewalls caught them trying to get to pornhub again...)
- - - - - -
I've been working here for 15 years.
My conversations used to go something like: "No; this is sensitive medical equipment, I'm not letting it talk to Youtube or Dropbox. Use your Smartphone and Guest Wifi. I don't care if you're shagging a Director. FSCK OFF."
Now they go something like: "What's your Business Continuity plan for being unable to access the staff rostering system for 4+ months? Because the Cloud-Only SAAS supplier you're using has just had one of their data centres hacked again and we need to block all access to/from their systems until they're declared clean by the NCSC. Oh, no, I'm afraid that's not an IT issue. It's been on your dept's risk register ever since last year when I STRONGLY RECOMMENDED you to go with the hybrid setup for this very reason. Here's the email trail and the risk ID. See you in the silver command meeting in 10 mins..."
To everyone say that they should have checked for the future updates..
Well yes they should BUT sometimes there may only be a couple of manufactures of who only make a relatively few " Very Expensive Extremely Specialized Device (tm)" a year and they may that may need to fit into existing equipment / workflow.
When I worked at a medical research facility we did DMZ off these devices, but often the manufactures would specify not only the version of windows, but often which patches you could install (None) for the machine to be under support.
The software that these things run on is a joke, and often seems to be written by the students who helped develop the machine (e.g. Chemists & Biologists etc) with old versions of Visual Basic rather than software engineers with upto date tooling.
The equipment suppliers have you between a rock and a hard place you need machine X to do your research \ work, costs many thousands to buy and for licencing & support but will consider the specific PC to be used the same as some custom part rather than a commodity part.
What can you do? demand better service? Well go use Y machine that is just as bad?
Not get the machine until you have assurances? Well good luck doing your work / research and kiss your grant goodbye
> What can you do? demand better service? Well go use Y machine that is just as bad?
> Not get the machine until you have assurances?
Answer: Sandbox the fecker.
You mentioned DMZing it on the network; and that's a good start.
But also ideally also lock up the physical terminal whenever it's not in use; and disable its unused USB ports.
And if something else on the internal network desperately needs to talk to it? Get upper management signoff on that as a risk; and make sure you filter the crap out of it. Block all the unused ports/destinations and run deep inspection so you can do sanitization checks on any data it's sending out.
We have ancient systems with similar requirements. Seg/Ment/Ation and data sanitisation is the only way.
And breaking the fingers of any supplier who even thinks about plugging a USB stick into it.
What many outside the medical devices field don't know is that most medical devices require extensive testing and approval to ensure that they won't cause unintended effects to staff and patients. That testing costs a ****ing fortune, takes years to complete, and has to be done for each and every region where your devices will be sold because of course every region has different requirements for testing and documentation. So, MS announce that they are ending support for Win10 in just over 1 year under the massively flawed assumption that everyone can just jump to their latest shiny-shiny at will. Most medical device companies typically operate on a 5-10 year refresh cycle depending on the device, and MS and their marketing people can just go sit on a massive **** and rotate if they think otherwise.
Ours run the latest versions of Win10 LTSR and Win10 Embedded and we will get them to Win11 when the testing/documentation is done and not before. Many such devices sit behind their own firewalls and have other protections so the fact that the OS is flawed and requires constant patching if exposed to the internet is normally not an issue.
And before the Linux/Unix people start bleating on about using that instead, some of our devices do run on certain flavours of *nix but there are other issues there that make life difficult such as the fact that the user base are all Windows people.
We have this situation at the moment. Some of the manufacturers do have devices/software that can run on Windows 11/Server 2022 but they can't sell them to us/upgrade existing software until MHRA issue a Medical Device Registration and that can take years.
This is one of the reasons NHS England negotiated a roughly 50% discount with Microsoft on the Win 10 ESU at the last minute having previously said they wouldn't (wanting, instead, to push us to upgrade rather than be lazy and throw taxpayer's money at the ESU)
"the fact that the user base are all Windows people."
For that sort of highly specialised and usually very expensive kit, does the underlying OS matter to users? Surely only the UI they interact with matters, and that would be same no matter the underlying OS. They still need training on how to use it. On the other hand, all OS's are "moving targets" that require patches and updates if not properly "hidden" from the internet.
The irony is that, even if they are on the LTSC they show up as Windows 10 on an audit and count against us for DSPT compliance. Network segmentation for these devices is the best way to manage this problem (some of these devices can't even be patched, ever, because that would constitute the Registered Device being changed and, therefore, fall out of Registration compliance and cease to be a certified Medical Device).
Our fantastic Medical Devices team do work well with us and it drives them mad too.
Many of them just run tools and just submit the results - without reading them, and understanding what they mean.
I had an auditor who kept on complaining an Apache web server on CentOS 7 (when CentOS 7 was still supported) was a too old version and unsupported - without knowing RedHat backports the patches and doesn't change the release number. These are the kind of audits thar are utterly useless.
A different kind of ransomware, jsut a bit more legal.
Anyway a large public health system should be able to write better contracts - including maintenance for an acceptable number of yeras - and have the supplier accept them.
You would imagine that any sensible organisation, as part of their procurement process would have appropriate terms about the supplier providing relevant updates for free, during the life of the contract - covering any software or hardware.
This ensures that the systems remain within support and good practice - such as security best practice (NIST and NCSC, etc) to always use an operating system that is within manufacturer support.
To anyone bleating on about this only being a Windows issue, you’re completely wrong. We’ve currently got the same issues with Linux. Third party vendors only support specific point versions, and worse still then say that we’re fine to patch, not comprehending that patching will take it to the latest point release.
Continuing to approach a 20-year-old problem with the same 20-year-old mindset, won't produce a different result — it’s precisely how NHS Trusts and Suppliers have arrived here. It’s time to explore non-disruptive, cost-neutral alternatives that are available in today’s market, such as Droplet NeverTrust, rather than wait for others to act or for Microsoft to resume support for legacy healthcare systems.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
