- The UK NHS is still using Windows XP, risking a devastating cyber-attack from malicious actors.
- The number of computers that use the outdated OS is small, but still enough.
- The UK government plans to update everything to Windows 10 by April 2021, but it looks difficult at this point.
Joanne Marie Platt, a member of the UK parliament, has submitted a question to the Secretary of State for Health and Social Care, asking about the number of computers in the NHS (National Health Service) that are using the obsolete Windows XP operating system. The response came from MP Jackie Doyle-Price, and the answer is approximately 2300 computers or 0.16% of the total number of machines that are deployed in NHS’s service. While the percentage is admittedly very low, people who understand how security works can easily deduce that the number is more than enough to offer attackers way into the NHS network and databases.
Windows XP is a system that has been abandoned by Microsoft since 2014, so these 2300 have not received any security updates in the past five years. This means that they carry a mind-boggling number of vulnerabilities right now, allowing attackers to choose from a galore of possible entry points, exploitations, and well-known and documented security flaws. With NHS not being able to upgrade their systems five years after Microsoft’s announcement for the end of the XP support, people justifiably wonder what will happen with the Windows 7 support that ends on January 2020.
The governmental plan is to upgrade all systems to Windows 10 until April 2021, and for this, they have invested a total of £210 million that will go to the improvement of the systems’ resilience against attacks, the implementation of systems that are devoted to the detection and response to incidents, and the upgrading of OS and software tools. With some offices and departments using legacy software tools to carry out their role, there are some systems that can’t be upgraded to a newer OS, as these tools will no longer be compatible. For these cases, the NHS will need to pay developers to either port the tools or order the creation of new ones.
This news is very similar to a recent report by a subcommittee of the US HSGA (Homeland Security and Government Affairs) which found that the majority of the US government agencies are not compliant to the NIST framework. According to the report’s findings, the DHS (Department of Homeland Security) is still using Windows XP and Windows Server 2003. In both the UK and the US, these agencies hold and manage sensitive citizen data, and so the modernization of the deployed systems should be an absolute priority for their governments. The fact that it isn’t, and no matter the specific reasons, shows how much the private data of citizens are valued by their political representatives.