Are old operating systems putting the NHS at risk in 2020?

  • 30 September 2020
Are old operating systems putting the NHS at risk in 2020?

With reports suggesting that Microsoft source code relating to Windows XP has been shared online, our cyber security columnist, Davey Winder looks into whether old operating systems are putting the NHS at risk in 2020.

The news that Microsoft source code relating to Windows XP had apparently been leaked to a number of file-sharing sites online may well have passed you by. After all, who uses Windows XP these days and what difference does it make if the source code is out there?

Although it has yet to be confirmed by Microsoft, which is investigating, if this is the actual source code to Windows XP Service Pack 1, there are potential security risks.

It would appear that the source code leak is actually a combination of various files, which would impact Windows Server 2003 and even Windows CE and MS-DOS. Most of these files had been floating around the dark web for some time, but this marks the first public distribution.

Windows XP itself was released way back in October 2001, with the final release in 2008. It reached end of life status on April 8, 2014, when general support, including security updates ceased. A security patch was later released by Microsoft in May 2017, in response to the WannaCry ransomware attack that hit the NHS so hard.

Exploiting vulnerabilities

The general availability of source code to an operating system will make the life of those wishing to exploit vulnerabilities much easier and it does highlight the risk posed by older Windows systems such as Windows 7 for example.

The NHS has been migrating devices, where possible, from both XP and Windows 7 to Windows 10 for some months now. However in some cases, such migration does attract compatibility challenges. There is also financial considerations when talking about replacing machines where software cannot be updated.

“Legacy systems running out of date operating systems continue to be a huge problem for the NHS,” Bharat Mistry, principal security strategist at Trend Micro, told me.

“In some cases, these systems are used for critical processing of data and, because of the risk of significant disruption, these systems never get updated,” he added.

Stopping determined hackers

For Ray Walsh, a digital privacy expert at ProPrivacy, he is not convinced that the small market share of XP will stop determined attackers from exploiting any new vulnerabilities if they are found lurking within this leaked code.

“With the realisation that sensitive targets like hospitals and the military still employ these outdated systems, there is a real danger that cybercriminal groups and government-sponsored hackers could potentially seek to make use of the source code to launch a cyber-attack,” he adds.

Don’t become a victim

For Boris Cipot, a senior security engineer at Synopsys, those who use outdated software are putting themselves at higher risk of attack.

“At the end of the day if you’re using outdated software, you’re running the risk of becoming a victim,” he said.

The alleged leak of the Windows XP source code poses a great risk to users by “opening new doors for vulnerabilities to surface”, Cipot adds.

The most appropriate action, he advises, “is to replace outdated systems to those that are maintained securely.”

How doable this is, at least in the short term, for healthcare in the UK remains to be seen. It is, however, a conversation that security teams need to be having and will be made more of a priority, in my never humble opinion.

As Doug Tognarelli, senior cybersecurity consultant at SureCloud, pointed out in conversation, this could impact more than just XP itself.

“Source code is often redeveloped and reused in later editions,” Tognarelli says.

“Any new vulnerabilities discovered in Windows XP have the potential to also be reflected in newer versions of Windows which may pose a higher risk.”

Therefore the NHS needs to be watching carefully as this story unfolds and, according to Tognarelli, “outdated and unsupported software installations are upgraded, replaced, or removed to ensure that systems remain secure”.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Alder Hey Children's NHS Foundation Trust has announced that the cyber attack it suffered last week has impacted two more hospitals.
Major cyber security incident declared at Merseyside hospital

Major cyber security incident declared at Merseyside hospital

A “major incident” has been declared at Wirral University Teaching Hospital NHS Foundation Trust “for cyber security reasons”.
Barts Health rolls out Cynerio cyber security platform

Barts Health rolls out Cynerio cyber security platform

Barts Health NHS Trust has rolled out Cynerio’s healthcare-focused cyber security platform across all of its sites.

4 Comments

  • Thanks “The Insider” – written exactly like someone detached from the practicality of actual IT operations within an NHS acute care environment would write…..

    • Written like somebody who understands that it should not be like this. Just because it’s “ok” in the difficult setting of acute doesn’t mean you should have unsupported and non-secure tech running within ANY tech stack. I’m not suggesting it is simple – but XP came out a real long time ago…

      • Why are you attributing a quote to me that I never actually made? I never said this was “ok”…
        My point is that there are practical issues that may prevent an upgrade from happening, despite an IT departments best efforts to eradicate legacy items from their estate.
        To be labelled nothing but negligent without knowing the facts and practicalities (legacy inheritance, financial pressures, lack of Digital representation/acceptance at Exec level etc.) of why these devices may still exist is both uninformed and rather ironically remarkably negligent on your part of real world issues in itself.
        Anyway, back behind the keyboard you go to put the world to rights…. I’m away to take care of the 0.12% of our estate still running XP (most of which can’t actually talk to the internet)

  • It’s nothing but negligence if these are still out there in NHS tech estates.

Comments are closed.