It has been revealed that the National Health Service is still running 2,300 outdated Windows XP computers, after a parliamentary question from Jo Platt MP.
Although, according to Parliamentary under secretary of state for the Department of Health Jackie Doyle-Price, this only represents 0.16% of all computers used by the NHS, the use of unsupported operated systems still poses a threat to the organisation’s cybersecurity.
According to Infosecurity Magazine, Platt has criticised the government for “seriously lacking the leadership, strategy and co-ordination we need across the public sector to keep us and our data safe and secure”, asking “how many more warnings will it take before they listen and take action?”
Windows XP, WannaCry and ongoing risks
In 2017, the notorious WannaCry incident cost the NHS around £92m and disrupted an estimated 34% of trusts in England, resulting in the cancellation of 6,912 appointments and operations. A report by National Audit Office on the NHS’s response to WannaCry indentified outdated IT systems as being partially to blame.
Microsoft stopped providing support for Windows XP in 2014, meaning that using the outdated system opens up significant cybersecurity risks.
Paul Bischoff, privacy advocate at Comparitech.com explains that even a small number of outdated computers can be an opportunity for bad actors to wreak havoc, especially dangerous considering the large volume of sensitive information handled by the NHS:
“Windows XP is no longer supported by Microsoft, which means it no longer gets security updates. Using Windows XP is therefore a security risk, and that’s especially true for governments.
“Considering the damage done by the WannaCry attack in 2017, it’s appalling that the NHS hasn’t finished upgrading its systems. Even if 2,300 computers is a small fraction of the total, hackers only need a single point of ingress to infect an entire network.”
The NHS’ technology transition efforts
Last year, the UK government signed a deal with Microsoft to provide the NHS with up-to-date Windows technology over the next few years. Although updating the estimated 1.4m computers used by NHS trusts around the country is an extensive process, this suggests that there is still a way to go before old technology is removed from networks.
The NHS has been criticised for still using outdated technologies, with the Health and Social Care Secretary banning the purchase of fax machines, with the intention of phasing them out by 2020, and the use of pagers also banned.
Roy Rashti, cybersecurity expert at BitDam believes that it is essential the NHS is proactive in protecting its networks:
“All public organisations, much like those in the private sector, are responsible for safeguarding their own information. Having computers running old operating systems such as Windows XP, which are no longer supported by Microsoft, means there are no longer patches available to secure the device.
“As the threat of spear-phishing grows, government organisations need to be proactive rather than reactive, in protecting their networks and systems. This requires an advanced threat protection technology that doesn’t rely on trends or past attacks to detect them but can identify them as they continue to evolve. and iterate.”