For nearly a week now, a non-stop parade of news reports berated the UK’s NHS, who temporarily suspended operations at some hospitals due to WannaCry infections, for their continued use of Windows XP. An example is this one. This article points out, and many other news stories also report, that Citrix obtained a response to a freedom of information (FoI) request which indicated “that 90% of hospitals still had machines running on Windows XP”. There is no indication of how big the problem really is, though. If 90% the hospitals had a single XP-based ATM, that would be reported the same as if each of those hospitals ran tens of thousands of XP systems. Indeed another report on the survey had this to say:
The trusts that provided details said Windows XP made up a small part of their overall PC estate — one said it was 50 out of 5,000 PCs, for example.
A bit of Googling reveals that Citrix sent an FoI request to 63 out of more than 200 NHS trusts, and received responses from 42 (source). The survey was almost certainly intended for marketing purposes by Citrix, intended to help sell more of their product. We should be wary about that stat.
Now come reports that XP systems really were not commonly infected. Various discussions on Twitter even indicate that XP SP3 is not susceptible to WannaCry infections.
There are people who are clearly angry with the NHS for its continued use of XP, and that is probably well founded. However, the angry stories tenuously linking XP in 90% of NHS hospitals to the services outages experienced at those NHS hospitals, apparently completely misses the point: if we want to beat up on the NHS about something related to it’s WannaCry woes, we should go after their failure to patch Win7 and/or Win2008 in a timely manner.