IT provider Citrix said that data it had gathered from 35 NHS Trusts under freedom of information (FOI) laws revealed that 14% of those organisations were unsure when they would complete the migration of their computers away from the Windows XP software.
The bodies, together with all public sector bodies in the UK, have a deal which ensures that Microsoft will "maintain critical and important security updates" for Windows XP until 8 April 2015. The deal was signed by the Crown Commercial Service earlier this year after Microsoft had decided to end the "extended support" it offered for its Windows XP and Office 2003 products with effect from 8 April 2014.
Citrix said that 74% of the NHS Trusts it had gathered FOI data about outlined their intention to "migrate their last device" away from Windows XP in March 2015.
Cyber security guidance issued by the UK government encourages organisations to ensure that they keep the software on their computers and network devices up-to-date as part of their basic management of IT security risks.
"Software running on computers and network devices that are connected to or capable of connecting to the internet should be licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available," according to the 'Cyber Essentials' guidance.
The guidance said organisations should remove all out-of-date software from computers and devices "that are connected to or capable of connecting to the internet".
Organisations should also ensure that software upgrades issued by suppliers and, security patches in particular, are installed promptly when they become available, it said.
The Information Commissioner's Office (ICO) warned organisations earlier this year that the longer they leave software and systems unsupported, the more likely they would be to face a fine should the fact the software and systems were unsupported lead to a breach of personal data they are responsible for.
If a data breach occurred that could have been prevented had the organisation been using a supported system then we would take this into account when deciding whether further action was required," an ICO spokesperson told Out-Law.com in April. "Unsupported systems become more insecure as time passes, so we would also need to consider the length of time an organisation has been using an unsupported system and the reasons why as part of our decision making process."