Two years after WannaCry, 2,300 NHS computers are still running Windows XP
Threats / Two years after WannaCry, 2,300 NHS computers are still running Windows XP
17 July 2019
Jackie Doyle-Price, Parliamentary Under Secretary of State at the Department of Health, recently admitted that the NHS is still using approximately 2,300 computers that are running Windows XP but also said that they form only 0.16% of NHS’ IT infrastructure.
In May 2017, shortly after the WannaCry ransomware attack struck NHS organisations, inflicting losses of around £92 million and impacting 81 out of 236 trusts across England as well as 603 primary care and other NHS organisations, including 595 GP practices, Health Secretary Jeremy Hunt promised that the use of Windows XP in NHS institutions would be eliminated by March 2018.
In response to the WannaCry attacks, the Department of Health and Social Care (DHSC) initially invested £60 million to address key cyber security weaknesses in NHS hospitals and GPs and promised to spend a further £150 million over the next two years.
Shortly thereafter, NHS Digital entered into a three-year strategic partnership with IBM to provide a range of services to healthcare organisations and to enhance NHS Digital’s capability to monitor, detect and respond to a variety of security risks and threats across the NHS.
NHS Digital also issued a tender valued between £700,000 and £850,000 for the creation of a cyber design authority team to support expanded data security centre responsibilities. It also issued a tender worth between £1.5 million and £1.65 million for the supply of a Project Management Office (PMO) and a Security Demand & Supply Management (SDSM) Team that would support an expanded Data Security Centre.
Around 2,300 NHS computers are still running Windows XP
Despite these efforts, a number of NHS organisations are still using the two-decades-old Windows XP operating system which has remained unsupported since 2014. Even the Windows 7 operating system, which was rolled out much later, will be completely phased out by next year.
Jackie Doyle-Price, Parliamentary Under-Secretary of State at the Department of Health, stated in Parliament on Monday that as of July 2019, “approximately 2,300 National Health Service computers are using Windows XP” even though they form a very small proportion of the 1.4 million computers used by NHS organisations.
“We are supporting NHS organisations to upgrade their existing Microsoft Windows operating systems, allowing them to reduce potential vulnerabilities and increase cyber resilience,” she added.
She was responding to a question posed by shadow Cabinet Office minister Jo Platt who wanted to know “the number of computers in the NHS that use the Windows XP operating system”. Following Doyle-Price’s response, Platt noted that the continued use of the Windows XP operating system is “an indictment of this government’s cybersecurity record.”
“The government is seriously lacking the leadership, strategy and co-ordination we need across the public sector to keep us and our data safe and secure. How many more warnings will it take before they listen and take action?
“The next Labour government will provide not only the resourcing but also the vital leadership, organisation and dedication needed to get our public sector fit and resilient to fight the cyber threats of the 21st century,” she said.
Hackers need just one weak point to infect an entire network
Commenting on the government’s admission about the NHS still using over 2,000 computers that run Windows XP, Paul Bischoff, privacy advocate at Comparitech.com, said that it’s appalling that the NHS hasn’t finished upgrading its systems considering the damage done by the WannaCry attack in 2017.
“Even if 2,300 computers is a small fraction of the total, hackers only need a single point of ingress to infect an entire network,” he warned.
“The WannaCry ransomware attack in 2017, which affected more than 200,000 computers worldwide including thousands across the NHS, typifies the extent and severity of the damage that can result from attackers exploiting governments’ failure to update systems and maintain consistent security protocols,” said Roy Rashti, cybersecurity expert at BitDam.
“All public organisations, much like those in the private sector, are responsible for safeguarding their own information. Having computers running old operating systems such as Windows XP, which are no longer supported by Microsoft, means there are no longer patches available to secure the device.
“As the threat of spear-phishing grows, government organisations need to be proactive rather than reactive, in protecting their networks and systems. This requires an advanced threat protection technology that doesn’t rely on trends or past attacks to detect them but can identify them as they continue to evolve and iterate,” Rashti added.