Following the news that patients are being put at risk because most NHS trusts are still using old Windows XP systems which could enable hackers to steal patient data or take control of hospital infrastructure. Criminals have already used cyberattacks to hold hospitals to ransom and an NHS trust in Lincolnshire and East Yorkshire said this week that an attack in October led to the cancellation of more than 2,800 patient appointments, including operations. IT security experts from Tripwire, Lieberman Software, Lastline, NSFocus and AliertLogic commented below.
Tim Erlin, Sr. Director, Product Management at Tripwire:
“It’s well established fact that using Windows XP puts an organization at greater risk. It’s unsupported, and known to be vulnerable.
Organizations that continue to rely on Windows XP today are well past the stage where ‘planning a transition’ is an acceptable response. Significant mitigation actions need to be taken if XP simply can’t be replaced.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“The reality is that the 9 of 10 NHS trusts running Windows XP are far from alone. Many organizations are under pressure to do more with less and spend their time focused on securing new assets and services rather than updating the old. The saying “if it isn’t broken, don’t fix it” is very strong in this case.
The real risk associated with running Windows XP depends on how the systems are used. Many Healthcare organizations have single purpose devices that don’t require network connection for their main purpose. Often they may decide that such devices don’t need the attention of updates and patches.
The problem is that thanks to WiFi and the centralization of management and services, even these once disconnected devices are now being connected to be managed, to access print services, and more. With network connection, they become targets for malware, worms, and everything else a bad guy might sneak in with SPAM. Healthcare is then left with the two poor choices of leaving these XP devices out of their networked, centralized services or having to pour a ton of effort and time into updating them.”
Jamie Moles, Security Consultant at Lastline:
“It comes as no surprise to hear that the cash-strapped NHS is still running Windows XP across it’s estate. Any austerity hit organisation will concentrate their spending where it brings the most benefit to its core mission and with the NHS that is clearly patient care.
The problem however, with still running Windows XP as a desktop operating system is that as an OS that is no longer supported by Microsoft any security holes discovered in XP will not be fixed by Microsoft.
Any penetration tester worth their salt will actively search for Windows XP machines within a customer environment as these are a known weak spot and easy to take advantage of to fully compromise a Windows Domain based computer network.
The solution is to remove Windows XP by upgrading to newer desktop operating systems and by protecting the perimeter with suitable network security solutions.”
Alex Cruz-Farmer, VP at NSFOCUS:
“As we have seen with the public sector, transition and innovation is slow moving, expensive and often gets tied in bureaucratic processes. With the public sector constantly being strapped for cash, and budget cuts being made across the board, investing heavily in upgrading and patching critical applications which are built upon Windows XP to support more current Operating Systems, will be a difficult pill to swallow. There needs to be an interim solution, and this is where a complete security portfolio, including threat intelligence can provide that transition stop-gap.”
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
“Its worrying that this is not higher on the list of things for remediation, and it also makes me wonder where this fits on their risk register. The challenge is very likely caused by legacy applications that hamper the ability to upgrade the OS. My guess is that the risk of upgrade is higher than the risk of attack, or at least someone thinks so (weigh up the risk of people’s data or worse people being put at risk by upgrade vs. the likely chance the system is attacked vs. someone believes the systems just doesn’t put people at risk or the systems don’t do anything that impacts patients or their data ). What’s the real risk? Well there are some known, easy to find vulnerabilities for XP that can be exploited remotely that lead to full control of those systems and the data they contain, in addition to malware that could be delivered through social engineering or direct access that could be used to pivot into the network and get access to that data anyway. The other issues are that some application vendors have stopped support and will not be as persistent as Microsoft at communicating an upgrade and they are just as vulnerable.
The other burning question is, how are they doing with keeping their other OS’s and applications in the estate up-to-date.
These days it’s better to focus on the ability to detect a breach and be able to respond than to put all your eggs into “I have a tool that blocks that” basket, and be ready to respond as quickly as possible. In these cases I would argue that if you haven’t upgraded then the systems and apps must be mission critical and thus your response would be hampered due to the criticality of the system and why patching or upgrading is hypercritical.
Looking today at https://netmarketshare.com/ from February to current date we see that still over 24% of systems they see are running windows XP, win 7 is still holding out with the lion’s share of what systems are running. There are even some vista machines and old unsupported OSX systems as well.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.