It has been reported that the NHS is still running over 2000 Windows XP computers. The figures came in response to a parliamentary written question tabled by Jo Platt, the shadow Cabinet Office minister.
Parliamentary under secretary of state at the Department of Health, Jackie Doyle-Price, replied that the health service was running around 2300 XP computers as of July this year. Platt criticised the figures as an indictment of the government’s failure to prioritise cybersecurity.
The NHS was famously caught out by the WannaCry ransomware worm of 2017, which affected around a third of trusts, led to the cancellation of an estimated 19,000 operations and appointments and cost the £92m to clean-up.
Experts Comments:
Paul Bischoff, Privacy Advocate at Comparitech.com:
“Windows XP is no longer supported by Microsoft, which means it no longer gets security updates. Using Windows XP is therefore a security risk, and that’s especially true for governments. Considering the damage done by the WannaCry attack in 2017, it’s appalling that the NHS hasn’t finished upgrading its systems. Even if 2,300 computers is a small fraction of the total, hackers only need a single point of ingress to infect an entire network.”
Roy Rashti, Cybersecurity Exper at BitDam:
“The potential impact of infiltrating the organisation like the NHS is huge. Depending on the target organisation and the sophistication of its deployed defences, adversaries may gain access to the much wider network of systems and databases that it is connected to. The WannaCry ransomware attack in 2017, which affected more than 200,000 computers worldwide including thousands across the NHS, typifies the extent and severity of the damage that can result from attackers exploiting governments’ failure to update systems and maintain consistent security protocols. Ultimately, gaining wide access to a variety of systems and databases means access to a greater amount of valuable data and opportunity to maximise profit or gain strong political leverage.
All public organisations, much like those in the private sector, are responsible for safeguarding their own information. Having computers running old operating systems such as Windows XP, which are no longer supported by Microsoft, meansthere are no longer patches available to secure the device.
As the threat of spear-phishing grows, government organisations need to be proactive rather than reactive, in protecting their networks and systems. This requires an advanced threat protection technology that doesn’t rely on trends or past attacks to detect them but can identify them as they continue to evolve and iterate.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.