Several NHS trusts are stuck in a difficult position after Microsoft ended security updates for Windows 10 in October 2025. Hospitals have been urged to migrate to Windows 11 to reduce cyber risk, yet some medical device suppliers still have not made their hardware compatible with the new operating system. This leaves critical machines running unsupported software with no patch path in sight.
The Rotherham NHS Foundation Trust is one example. According to Digital Health, its technology teams managed to upgrade roughly 98 percent of devices, but the remaining two percent are blocked because their manufacturers have not certified Windows 11 support.
Table of Contents
A small gap that creates a big attack surface
That two percent might not sound catastrophic, but hospitals remain one of the most attractive targets for cybercriminals. Any disruption can push an organisation into a ransom payment since patient care is tied directly to system stability.
James Rawlinson, Director of Health Informatics at Rotherham, explained that some equipment barely three years old now needs complete replacement. Vendors claim the certification process for medical software is lengthy and regulated. While that is true, the delay shifts the cost and the risk onto NHS trusts that are already under strain.
Rawlinson described the frustration clearly. A device that costs thirty four thousand pounds becomes unusable only a few years later because the supplier refuses to support Windows 11. Hospitals are then told to buy Microsoft’s extended support instead, even though the responsibility should sit with the manufacturer.
Cyber risk with real world consequences
Health systems cannot afford uncertainty. A past inquiry showed that the fallout from a ransomware attack contributed to a patient death. That single case is enough to illustrate the stakes. Unsupported devices create weak points in a network, and once attackers find them, they often work inward and compromise core systems.
Rawlinson added that some vendors once provided full lifecycle support but now push responsibility back to local IT teams. The shift leaves hospitals carrying the blame for security exposure while manufacturers continue selling hardware that is not future ready.
A fix is available but only with cooperation
Windows 11 is the only secure long term option for NHS systems, yet the migration will remain incomplete until suppliers certify their devices. Trusts cannot force compliance, and replacing expensive hardware every few years is unsustainable. The gap between regulatory caution and practical security is now costing the NHS time, money, and resilience.
