The widespread use of Windows XP also raises worrying questions about other applications and operating systems used in NHS Trusts.
Windows XP, the operating system which lost Microsoft support 18 months ago, is still in widespread use in NHS trusts across the UK – with the failure to upgrade putting patient data and infrastructure at considerable risk.
According to research by Citrix, a shocking 90 per cent of trusts still use Windows XP – albeit on a small percentage of overall devices in some cases.
The data – taken from a Freedom of Information (FoI) request issued to 63 NHS trusts, with 42 responding – also revealed that half of trusts (24) are still unsure as to when they will migrate from Windows XP to a newer operating system.
Fourteen per cent of trusts indicated that they would be transitioning to a new operating system by the end of this year, with nearly a third (29%) claiming they will make the move some time next year.
For James Moles, security consultant at Lastline, the data comes as no surprise to an organisation known to struggle with budget constraints.
“It comes as no surprise to hear that the cash-strapped NHS is still running Windows XP across it’s estate. Any austerity hit organisation will concentrate their spending where it brings the most benefit to its core mission and with the NHS that is clearly patient care.”
NHS Trusts cannot be pilloried for choosing to funnel funds towards patient care, however, very real and dangerous risks lie in the running of Windows XP. With no support, any organisation running XP will be vulnerable to security holes – holes which are no longer issued patches by Microsoft. The risks in running XP, however, run much deeper than vulnerabilities and patches, as Alert Logic’s Oliver Pinson-Roxburgh explained:
“What’s the real risk? Well there are some known, easy to find vulnerabilities for XP that can be exploited remotely that lead to full control of those systems and the data they contain, in addition to malware that could be delivered through social engineering or direct access that could be used to pivot into the network and get access to that data anyway. The other issues are that some application vendors have stopped support and will not be as persistent as Microsoft at communicating an upgrade and they are just as vulnerable.”
Understanding the risk posed to NHS Trusts running XP is just one piece of the puzzle, the other question being as to why no action has yet been taken to upgrade. Offering an educated guess as to why, Mr Pinson-Roxburgh said:
“My guess is that the risk of upgrade is higher than the risk of attack, or at least someone thinks so (weigh up the risk of people’s data or worse people being put at risk by upgrade vs. the likely chance the system is attacked vs. someone believes the systems just doesn’t put people at risk or the systems don’t do anything that impacts patients or their data).”
The slow response in upgrading to a newer desktop operating system also lays bare another worrying question – what are NHS Trust’s doing with their other applications and operating systems. Have those been regarded with the same ‘if isn’t broken, don’t fix it’ mentality?
Speculation aside, NHS Trusts need to upgrade and move to an OS which has support and thereby offers a certain level of security. It is going to be a difficult decision for NHS Trusts to part with budget in order to move ahead with such change, but NHS Trusts must make that change and prepare for the interim gap in transition.
“As we have seen with the public sector, transition and innovation is slow moving, expensive and often gets tied in bureaucratic processes,” said Alex Cruz-Farmer from NSFOCUS.
“With the public sector constantly being strapped for cash, and budget cuts being made across the board, investing heavily in upgrading and patching critical applications which are built upon Windows XP to support more current Operating Systems, will be a difficult pill to swallow. There needs to be an interim solution, and this is where a complete security portfolio, including threat intelligence can provide that transition stop-gap.”
In a year which has seen cyberattacks used to hold hospitals to ransom and well-publicised attacks on NHS trusts such as those in Lincolnshire and East Yorkshire, this data should be the wake-up call that’s needed. It should, however, also be a wake-up call for all organisations running on Windows XP today. Urging change, Tripwire’s Tim Erlin said:
“It’s well established fact that using Windows XP puts an organization at greater risk. It’s unsupported, and known to be vulnerable.
“Organizations that continue to rely on Windows XP today are well past the stage where ‘planning a transition’ is an acceptable response. Significant mitigation actions need to be taken if XP simply can’t be replaced.”