Jason Mafera, field chief technology officer for healthcare at IGEL, explains why the mothballing of Windows 10 isn’t just a technical milestone, but a test of healthcare’s digital resilience.
It’s 0200 in a busy A&E department. A trauma patient arrives, and the clinical team needs instant access to their medical records, but the system is sluggish, blocked by an ageing endpoint. Moments later, another terminal at the nurse’s station freezes, disabled by a ransomware attack. The device, still running Windows 10, is no longer supported and hasn’t received critical security patches.
This isn’t a hypothetical crisis, it’s an everyday risk. From October 2025, when Windows 10 reaches end of life, these scenarios are set to become more frequent and the danger more acute. For the NHS and the wider UK healthcare sector, this isn’t just an IT concern, but a frontline patient safety issue.
While all sectors face risks from running unsupported, insecure systems, healthcare’s is particularly severe. UK hospitals, GP surgeries and community health services rely on a vast network of legacy software and specialised applications that often can’t be upgraded overnight. Clinical workstations are shared across shifts, used by hundreds of staff daily, and are often dispersed across multiple sites. Cybercriminals know this and increasingly target healthcare’s complexity to impact care delivery with ransomware, data theft and service disruptions.
In 2023, two-thirds of healthcare organisations were hit by ransomware attacks, with an average recovery time of three weeks. In the NHS, every hour of downtime risks delayed care, cancelled appointments and compromised outcomes. Furthermore, 27% of existing clinical endpoints lack the hardware required to upgrade to Windows 11, rendering these devices open doors to an attacker.
The cost of inaction
Once support for Windows 10 ends, every remaining device on the NHS will become a soft target for cybercriminals. Without critical patches, even diligent IT teams will struggle to keep up with emerging threats. Regulatory bodies, including the NHS and HIPAA authorities in the US, are tightening scrutiny on unsupported software, raising the bar on cybersecurity standards.
Failed audits can result in fines, the loss of insurance coverage, and worst of all, forced suspension of clinical services. To prevent this from happening, NHS Digital, for example, has implemented Data Security and Protection Toolkit (DSPT) assessments, which flag unsupported software as compliance red flags. The consequences go beyond penalties and public scrutiny – disruption to clinical services amidst a cyberattack can interrupt care delivery, put pressure on already strained staff and ultimately jeopardise patient safety.
It’s understandable that trusts may be hesitant to commit already limited budget and time to systemwide upgrades. But the financial reality is this: the cost of a major cyberattack or regulatory penalty often dwarfs the investment needed to upgrade. Maintenance for unsupported systems is not only expensive, it also diverts IT resources from innovation and clinical support. Conversely, investing in platforms that are easy to update, centrally managed, and designed for prevention can extend device life, reduce support calls and lower insurance costs.
For NHS providers, the upgrade challenge isn’t just technical, it’s operational. Many run essential applications that aren’t compatible with newer systems, including Windows 11. The safest path begins with a thorough audit: which endpoints are business-critical? Which are most exposed? Which devices or applications can’t be moved yet? For high-risk or unmovable devices, use network segmentation and strict access controls to contain exposure. For others, cloud-hosted desktops and applications allow safe migration, reducing reliance on local device health.
Where full upgrades aren’t feasible, securing medical devices tied to Windows 10 presents unique challenges. Best practices include segmenting these devices from hospital networks, tightening access controls, and collaborating with manufacturers to ensure supported lifecycles. Where that’s not possible, “break-glass” plans should be put in place to maintain patient safety until compromised or non-working devices can be replaced.
UK health providers face especially acute pressures. NHS budgets are tight, IT talent is in demand and digital maturity across trusts varies wildly. Yet, the risks of delay are too significant to be ignored. NHS leaders are prioritising critical endpoints, aligning IT investment with clinical risk, and relying on solutions that deliver security and operational continuity by design, not by afterthought.
Best practices for the future
Modernising for Windows 11 and beyond isn’t just about security. Extending device life, reducing e-waste and selecting energy-efficient IT platforms serve both environmental goals and the bottom line. This is becoming an increasingly board-level priority for UK trusts and global providers, as the NHS commits to achieving Net Zero.
No health system wants to repeat the scramble of end-of-support – software lifecycle management must be integrated into an ongoing strategy, rather than being treated as an afterthought. That involves investing in modular, centrally managed endpoints that are easy to update, adapt and recover. Cloud-first strategies and business continuity planning are now essential, ensuring clinicians can always access the digital tools they need, regardless of what happens to a single device.
Windows 10’s end isn’t a simple technical milestone, but a test of healthcare’s digital resilience. Approach it as an opportunity to rethink technology, workflows, and risk, which will result in not only a more compliant, but stronger NHS. The real measure is not how quickly we patch, but how confidently we can guarantee safe, reliable care at every login and at every hour of the day.
