Security experts have warned that patient data is at risk after it was revealed that 90% of NHS Trusts in England are still running the unsupported Windows XP operating system.
A Freedom of Information Act request from Citrix also found that just over half are not sure when they’ll upgrade to a newer system, while 14% think they’ll do so by the end of the year and 29% said the migration would happen some time in 2017.
Citrix received responses from 42 of the 63 Trusts it approached, but the stats are still a damning indictment of poor security practice in the health service.
Unless these systems are being protected by virtual patching, they’ll be far more exposed to the threat of attack as Microsoft stopped issuing security updates for government PCs in April 2015.
Jonathan Sander, VP of product strategy at Lieberman Software, explained that the risk of running XP depends on what systems are doing so.
“Many healthcare organizations have single purpose devices that don't require network connection for their main purpose. Often they may decide that such devices don't need the attention of updates and patches,” he continued.
“The problem is that thanks to Wi-Fi and the centralization of management and services, even these once disconnected devices are now being connected to be managed, to access print services, and more. With network connection, they become targets for malware, worms, and everything else a bad guy might sneak in. Healthcare is then left with the two poor choices of leaving these XP devices out of their networked, centralized services or having to pour a ton of effort and time into updating them.”
Oliver Pinson-Roxburgh, EMEA director at Alert Logic, added that upgrades may have been delayed because of problems with legacy app compatibility.
“My guess is that the risk of upgrade is higher than the risk of attack, or at least someone thinks so,” he argued.
“What’s the real risk? Well there are some known, easy to find vulnerabilities for XP that can be exploited remotely that lead to full control of those systems and the data they contain, in addition to malware that could be delivered through social engineering or direct access that could be used to pivot into the network and get access to that data anyway.”