Microsoft ended Windows XP support a couple years ago, and any veteran security practitioner will remember the constant barrage of malware hurled their way through trivial exploits of the old OS.
But for various reasons — lack of financial resources and compatibility problems, for example — many organizations continue to use it. Case in point: the UK’s National Health Service trusts.
A report in Infosecurity Magazine reveals that 90 percent of NHS Trusts still run Windows XP. The publication cites a Freedom of Information Act request from Citrix in which more than half of respondents weren’t sure when they’d upgrade to a newer OS. Some 14% thought they’d do so by year’s end and 29% expressed hope that they’d shift to a more modern version of Windows at some point in 2017. Citrix got responses from 42 of the 63 trusts it approached.
From the article:
Unless these systems are being protected by virtual patching, they’ll be far more exposed to the threat of attack as Microsoft stopped issuing security updates for government PCs in April 2015.
This isn’t the first time institutions have been seen using Windows XP, and it’s certainly not a problem restricted to the UK.
The HIPAA Journal reported in June that researchers discovered malware infections through medical devices running on legacy systems at three hospitals. They found “a multitude of backdoors and botnet connections,” installed using “ancient” Windows XP exploits. Attackers compromised the machines even though the hospitals had modern, sophisticated defenses in place, the publication reported.
Capture Billing, a medical billing organization based in South Riding, Virginia, estimates on its website that one in four of the world’s PCs still run Windows XP and it’s likely many healthcare facilities need to “take corrective action” immediately. The company warns that such organizations might be violating HIPAA.
“If your medical practice has made any computer purchases within the past 12 years, you might currently be violating HIPAA and not even realize it,” the company says on the website.
Dr Harold Bornstein, longtime physician of president-elect Donald Trump, faced ridicule over the summer when a picture surfaced of him with a Windows XP screen clearly visible on his desk.
It’s easy to frown upon organizations that still use Windows XP. But in fairness, there are plenty of reasons why some have struggled to migrate to something newer. Financial restraints are often cited as a big reason, but another issue is compatibility.
Many healthcare operations, for example, rely on legacy systems that don’t play well with newer versions of Windows, making the changeover more complicated.
It’s also worth noting that in medical facilities, a lot of Windows XP boxes are not connected to the Internet, which makes them less of a security risk.
w1nt3l
The costs associated with a breach of patient information is significantly higher than any costs associated with upgrading. There are no longer any excuses that adequately support the decision to hold off upgrading anymore.
Bryan
You’re naturally 100% correct, but most NS readers already know that. The problem is that most governing boards don’t–and saving upgrade cash is the reverse of gambling a lottery.
Five years at a hospital saw plenty of I.T. ignorance–security and otherwise. Financial dudes note how 1200 Microsoft licenses are guaranteed to be expensive while even a high probability of system failure is still only that–a probability.
Rational points also get lost in organizational politics: I’d just gotten hired at the helpdesk (coming from an enterprise data center) and immediately saw their impending $400,000 HVAC renovation for what it was: an under-informed plan based on experience cooling people–not servers. I highlighted how we could save a fortune (accomplishing it for around 1-2 percent of that )but was quickly silenced.
During construction our office was in chaos for months, our procedures were compromised, convoluted, or completely abandoned, and our critical gear was exposed to dust, vibration, outside air, countless workers, and extreme cold. The cold alarms actually proved my attempted-preemptive point that additional cooling wasn’t required, and strategic airflow was all we’d needed. In addition to a ton of project budget, we could have saved overtime pay, stress, delayed support, and premature aging of our equipment–we replaced drives and still found dust a year later. Life doesn’t stop simply because I.T. is in the oldest (c.1920) section of the hospital. I later learned the project eventually cost around a million dollars.
With a rare opportunity to make an immense difference, I’d given up too easily when instructed to stop. I was new and obeyed, not wanting to rock the boat. However I now couldn’t possibly regret getting fired (if I’d been canned for speaking out of turn) as much as I now wish I’d written a letter to the CEO in time to stop that fiasco–less for chances of glory and more for sticking to my guns and doing the right thing. Although I wouldn’t begrudge a $5000 bonus for saving my employer 80 times that either.
Wow (/rant). It still bugs me after nine years. My point was that politics kept the plan going without considering my (admittedly late) objection, like upgrading OSes can also be hindered by red tape. Learned some stuff, but glad I left.
On the bright side, I pinged a buddy who’s still there–they’re down to probably 5% WinXP. Lower than I expected. Bully for them! :-)
Tim Boddington
The last sentence is the one that matters – “… a lot of Windows XP boxes are not connected to the Internet …”. I suspect that in so many businesses there are large numbers of PCs that just don’t need to be connected to the internet. There is too much connection by default, possibly because it is easier to manage them. The elimination of risk must make it worthwhile looking for a better way without the need for internet connection.
Padraig
I may be wrong but I was under the impression that in the UK the government had purchased continuing support for XP from Microsoft.
blackfrostlearns
This is correct. Extended support was offered through a Crown Commerical Service agreement with Microsoft.
Deucedriver
Having worked in the medical field for a decade, I have seen how small IT budgets can be considering how valuable the information they protect is. Software compatibility is also a HUGE factor. We had a state mandated and run program that would not run on anything after Windows 2000 Pro. Every other desktop in our organization was Windows 7.