NHS systems still reliant on Windows XP

Government minister downplays significance of venerable OS' continued use

NHS Trust building

Over 2,000 NHS systems are still running on Windows XP five years after it stopped receiving security updates.

It's the latest hammer blow to the NHS' reputation for being well behind the curve in terms of keeping its IT systems up-to-date and secure.

The figures were slammed by shadow Cabinet Office minister Jo Platt after they were revealed by Jackie Doyle-Price, parliamentary under secretary of state at the Department of Health.

"The government is seriously lacking the leadership, strategy and co-ordination we need across the public sector to keep us and our data safe and secure," said Platt. "How many more warnings will it take before they listen and take action?

"The next Labour government will provide not only the resourcing but also the vital leadership, organisation and dedication needed to get our public sector fit and resilient to fight the cyber-threats of the 21st century," she added.

It's not the first set of figures that illustrate an apparent disregard for cyber security in some parts of the National Health Service. In December 2018, a response to an FOI request revealed some NHS Trusts spend as little as 250 on cyber security.

Results of a different FOI request a year later revealed one NHS Trust in Cumbria was the victim of an "extraordinary" number of cyber attacks and had spent 29,600 in 2017 alone to remedy the effects.

Doyle-Price was quick to dispel Platt's criticism, claiming that although the number of legacy systems was in the thousands, it only accounted for a small percentage of the total 1.4 million computers run by the NHS.

"This equates to 0.16% of the NHS estate," said Doyle-price. "We are supporting NHS organisations to upgrade their existing Microsoft Windows operating systems, allowing them to reduce potential vulnerabilities and increase cyber resilience."

In the wake of the WannaCry ransomware attack on the NHS in 2017, the National Audit Office revealed the NHS had been warned by the Department of Health as early as 2014 about the threat of cyber attacks and that it should migrate from Windows XP by April 2015.

Five years later, the upgrade process still hasn't been completed and after an attack that cost the NHS a reported 92 million, it has led experts calling for better action to be taken.

"Considering the damage done by the WannaCry attack in 2017, it's appalling that the NHS hasn't finished upgrading its systems," said Paul Bischoff, privacy advocate at Comparitech.com. "Even if 2,300 computers is a small fraction of the total, hackers only need a single point of ingress to infect an entire network."

There are other reasons for running old software too."Often we see that companies are running old software that is no longer compatible with the newer operating systems, and therefore have to use older systems for this reason - but this does not make lower the risk of using those systems," said Boris Cipot, senior security engineer at Synopsys.

"For instance, it may have very expensive medical equipment that can only be controlled by software that runs on XP," said security analyst Graham Cluley. "So it's not just a  case of updating a PC, but perhaps spending millions on a new MRI scanner."

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Google fixes zero-day flaw in Chrome and Chrome OS
bugs

Google fixes zero-day flaw in Chrome and Chrome OS

23 Oct 2020
Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020

Most Popular

Why you should prioritise privileged access management
Sponsored

Why you should prioritise privileged access management

9 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020