When You Can’t Upgrade: The NHS’s Windows 10 Dilemma and What It Teaches Us About Outdated Systems

What’s Going On

As Microsoft ends support for Windows 10 in October 2025, the NHS has found itself in a bind. Many hospitals and trusts still rely on medical devices and specialist equipment that can’t yet run Windows 11, simply because suppliers haven’t updated or certified their software for it.

According to reports, while most NHS desktops and laptops are now on Windows 11, a small but significant number of clinical and diagnostic machines remain on Windows 10. These devices can’t be upgraded without costly vendor intervention. In some cases, tens of thousands of pounds per unit or full hardware replacement.

That leaves IT teams in a difficult spot: either keep using unsupported systems or isolate those devices and hope the vendor delivers an update before a vulnerability gets exploited. Neither is ideal.

Why Unsupported Operating Systems Are Dangerous

Running an unsupported OS is a bit like driving a car after the manufacturer stops making spare parts. it might still work, but every breakdown becomes much more serious. Here’s why:

1. No Security Updates

Once an OS reaches end of support, it stops receiving security patches. That means new vulnerabilities stay unpatched, leaving attackers free to exploit them. For healthcare systems, where devices often connect to networks storing sensitive patient data, this is an open invitation.

2. Increased Compliance and Regulatory Risk

In industries that handle personal or medical data, using unsupported systems can breach data protection obligations. If a breach happens on an out-of-date platform, regulators will ask why it wasn’t upgraded or replaced.

3. Compatibility and Reliability Problems

Modern security tools, encryption protocols, and software updates increasingly assume newer operating systems. Over time, outdated OSs lose the ability to integrate safely with other systems, making them harder (and riskier) to manage.

4. Attack Surface Expansion

Legacy systems are a favourite target for attackers because they tend to be unmonitored or “forgotten.” A single outdated device connected to a network can be the entry point for a much larger compromise.

Practical Advice: How to Keep Systems Safe and Supported

You may not have a national-scale estate like the NHS, but the same lessons apply whether you’re a startup, charity, or SME. Here’s how to stay ahead:

Keep Everything Patched

• Apply updates regularly, not just for operating systems, but browsers, applications, and firmware.

• Automate patching where possible to avoid relying on manual processes.

• Establish a patching schedule with accountability: someone should “own” updates.

Know What You’re Running

• Keep an asset inventory that tracks OS versions, hardware age, and patch status.

• Use monitoring tools or scripts to spot outdated systems automatically.

• Treat any unknown or unmonitored devices as potential risks until proven otherwise.

Isolate Legacy Systems

If you can’t immediately upgrade certain devices:

• Segment them on the network so they can’t access sensitive systems.

• Limit user access and remove unnecessary network connections.

• Add extra monitoring and logging for any legacy device still online.

Manage Vendor Dependencies Proactively

• Ask your suppliers for clear upgrade roadmaps before committing to equipment.

• Include OS-support obligations in your contracts.

• If a vendor can’t support future upgrades, plan for early replacement before the system becomes a liability.

Review Security Configurations

Even supported systems can be vulnerable if misconfigured:

• Disable unnecessary services and remote access.

• Enforce multi-factor authentication (MFA) wherever possible.

• Apply least-privilege principles: only grant users and systems the access they truly need.

Conclusion

The NHS’s situation isn’t about laziness or poor planning, it’s about vendor lock-in and the complexity of keeping specialist equipment secure. But it’s a warning for everyone: if your tech strategy depends on suppliers who can’t (or won’t) keep up with OS upgrades, you’re effectively outsourcing part of your security risk.

Every unsupported machine is a potential breach waiting for the right day. Don’t let inertia, or a vendor’s slow update cycle, define your risk exposure. Know what you’ve got, keep it patched, and build upgrade planning into your normal operations.

If this story rings a little too close to home, it might be time for a quick systems health check. At Steel FYI, we help organisations of all sizes assess their tech estate and plan secure, realistic upgrade paths, before support ends and the clock runs out.