NHS Hospitals Putting Data At Risk With Outdated Windows XP


NHS Trusts have been caught running thousands of outdated and unsupported Windows XP machines, despite a developing threat landscape and GDPR on the horizon.

Back in April 2014, Microsoft officially ended support for Windows XP, once its most popular operating system (OS) which was favoured my many businesses and government agencies around the world.

As of that point, Microsoft stopped releasing security patches for the OS, meaning hackers have been free to exploit any vulnerabilities found since then, with the exception of those organisations willing to pay Microsoft for an extended support deal.

The UK government was one such organisation, paying Microsoft the princely sum of £5.5 million to continue providing security support for Windows XP. This deal came to an end in May 2015 and was not renewed, with a the government citing “good progress in moving away from Windows XP across departments and government organisations”. 


NHS emergency

However, a Freedom of Information (FOI) request submitted by Motherboard to over 70 NHS Hospital Trusts revealed that thousands of NHS computers across the UK are running the outdated OS, potentially leaving confidential patient data vulnerable to attack.

Of the 70 Trusts contacted, 42 said they were still running Windows XP machines without receiving security updates, with only one of them confirming that it had purchased a support agreement from Microsoft.

And the amount of outdated XP machines still in operation are significant. For example, Guy’s and St Thomas’ NHS Trust in London admitted to having a whopping 10,800, while Sheffield Children’s Hospital and East Sussex Healthcare have 1,290 and 413 respectively.

By running Windows XP, NHS Hospitals risk breaching data protection regulations, which are set to become even more stringent through the new General Data Protection Regulation (GDPR) coming into force in 2018. Legal experts have confirmed that the guilty hospitals may be in breach of current regulations. Jon Baines, Chair of the National Association of Data Protection and Freedom of Information Officers (NADPO), said: “If hospitals are knowingly using insecure XP machines and devices to hold and otherwise process patient data they may well be in serious contravention of their obligations.”

Tim Turner, a former Information Governance advisor in the NHS, added: ”I think it’s self-evident that using an effectively obsolete operating system isn’t appropriate.”

GDPR was finally approved in April of this year after four years of negotiations, aiming to give citizens back control over their personal data in the digital age, including the right to be forgotten.

When the new regulations come into effect in May 2018, compliance will become legally compulsory for organisations operating within the European Union. Those who fall short risk facing massive fines of up to 4 percent of global revenue for the previous year, or £15 million, which ever is greater.

With around 18 months to go, the revelation that so many NHS Hospitals are still running outdated and unprotected software is a worrying one, especially as the threat landscape is continuing to develop at an alarming rate. Indeed, hackers have shown that they are not scared to target hospitals, with organisations in Kentucky and Lincolnshire bring prime examples. In addition, Intel Security recently released a report revealing that hospitals have made nearly $100,000 in Bitcoin payments to hackers after falling victim to ransomware attacks in the second quarter of 2016.

This suggests that hackers are currently viewing hospitals as “soft targets” and, at the moment, they are right. The majority of doctors and nurses simply don’t have time to think about IT security in their day-to-day roles and by definition any attacks on hospital systems can have life-threatening consequences, so IT staff will always be willing to pay a ransom to get everything back up and running.

With the prevalence and sophistication of cyber attacks set to increase, combined with updated data protection regulations bringing severe penalties and more power to consumers on the horizon, it has apparent that a change is needed sooner rather than later.

Quiz: The triumph and the tragedy of public sector IT