Some call it the “zombie operating system”, yet as many as one in five NHS hospitals may still be using Windows XP as their core operating system for desktops and PCs; and more than 90% will have single PCs or devices running on XP in their networks.

And this, as highlighted by events at the Royal Melbourne Hospital in Australia in the New Year, is dangerous. In January this year, the hospital detected a virus that had infiltrated major hospital systems via a PC using the OS for which support ended in 2014.

The major impact was on the pathology service, which lost the ability to electronically dispatch test results. The hospital ceased processing routine samples and asked staff to fax or phone with requests for urgent samples.

It was reportedly attacked by the QBot virus, which harvests passwords from systems that include payment options such as banking or iTunes. It took the hospital over two weeks to contain the virus as it mutated up to six times a day and spread around the hospital system.

OS lessons from Oz

It is not clear whether this was a deliberate attack by cybercriminals – but the warning is stark: Windows XP makes an organisation vulnerable to cyber attack.

In the NHS, loss of data through a known vulnerability such as using Windows XP would also be a breach of the Data Protection Act – opening up the hospital to the threat of a hefty fine by the Information Commissioner’s Office.

A spokesperson for the ICO explains: “Principle 7 of the Data Protection Act says: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

“Failure to upgrade and secure systems would fall under Principle 7 as it’s a ‘technical measure’ to guard against loss of personal data.”

So the question for almost every NHS trust in the country is this: what risk does the continued presence of Windows XP on your network pose and what are you going to do about it?

The OS that refuses to die

First the figures. When Digital Health Intelligence surveyed NHS trusts last year, 30% said they were still using Windows XP as their core operating system (down from 85% in 2013) and one third of those said they were planning to migrate in 2015-16.

Between now and then, there has been no discernible flurry in announced shifts to more modern operating systems that would indicate a big change in these numbers. So it’s probably fair to assume that at least one in five NHS trusts are still running their PC fleet on Windows XP. That amounts to tens of thousands of PCs.

That’s far from the whole picture, though. Steven Lawrence, regional sales manager for the public sector for ForeScout Technologies, says that he has yet to visit a trust that has eliminated Windows XP entirely.

“Trusts simply cannot migrate the whole system into a single operating system,” he says. “There will always be the odd clinical system that will only run on Windows XP and there are countless medical devices that need Windows XP to run.”

And this, says Michael Wignall, national technology officer for Microsoft UK, is a problem as these devices and PCs offer a back door into the main hospital systems.

“It’s serious,” he says. “It’s been a great operating system but it’s almost 15 years old now and the security threat landscape that existed then is very different to the landscape today.”

No longer supported

In addition, in Microsoft’s corporate speak, XP is “no longer supported” and has not been since 8 April 2014. This means it is not issued with hot fixes or patches to protect against vulnerability to hackers.

But things are worse than that makes it sounds, according to Wignall. “What often happens is that a threat is detected [by Microsoft] and a patch is issued for a later version of Windows. Hackers then work back from that vulnerability – and find that it also exists in an earlier version of Windows that cannot be patched.”

It’s a kind of reverse engineering process that takes a hot fix for, say, Windows 10 and looks for the vulnerability that may also have existed in Windows XP.

The advice from Microsoft is simple: Move to Windows 10 and benefit from all the latest patches and fixes.

Yet Digital Health Intelligence’s latest figures show that this has not been heeded. In 2015, 65% of trusts were running Windows 7 on their PCs and laptops.

This is probably because it was covered by the Enterprise wide Agreement that the company signed with the health service in the National Programme for IT in the NHS era; and also because it is perceived to be more reliable, more secure and cheaper than the subsequent Windows 8 – some of the flaws of which Windows 10 arguably fixes.

Limiting the risk

Wignall, though, is a pragmatist and understands the limitations of finance and the hotch potch of clinical systems that leave the occasional PC reliant on Windows XP.

“We have been working closely with government to develop security guidance for the public sector on using obsolete platforms,” he says.

It outlines the first line strategy – migrate to newer, more secure platforms. Beyond this, there should be a mitigation strategy to reduce the likelihood of a PC or device using Windows XP accessing either the critical hospital systems or the internet.

Wignall says: “You need to look at your landscape and identify systems that are accessing sensitive patient information; migrate those first and mitigate the risk of other systems touching those devices.

“Make clear the divide between the newer and the older estate. Do not connect XP to the internet. Do not allow people to plug in USB sticks to Windows XP devices. Reduce the attack risk.”

ForeScout Technologies works with more than 20 trusts, helping them to identify the PCs and devices running Windows XP and then to isolate them.

“The challenge is that organisations do not know which machines are running XP – or indeed any other operating system,” says Lawrence.

ForeScout uses an agentless technology to map all PCs and devices attached to the network and can then set about mitigating the security risk associated with each one.

“The quickest way to make a Windows XP machine almost completely secure is to prevent it from accessing the internet by placing it in a VLAN,” says Lawrence. “Alternatively we can create a DMZ – to allow some limited communication through firewalls only.”

But this is not a practical solution for all PCs running XP – there are some very specific cases out there linked to small clinical IT systems.  Even in these cases there are ways to mitigate the risk, for example by installing a copy of Linux on the same PC and using this browsing and email or running a virtual copy of XP within a Windows 7 environment.

Equally important is making sure all other software is up to date – and switching to a more secure browser such as Google Chrome or Firefox on computers running XP.

It’s all about having good policies and making sure they are implemented well, says Lawrence, and ensuring there is good device hygiene.

Not new, but still not heeded across the board

The advice is not new. Every IT manager will have heard this a thousand times. But as events in Melbourne amply demonstrate, that doesn’t make them immune.

Wignall says: “I absolutely understand why you are writing this article. The more people that are aware that risks and issues still exist and that there are options to reduce them the better.

“We absolutely do not want a situation where any of our customers are running any system that is not supported and not safe from cyber attack.”

Perhaps every computer should have a “now clean your PC” sticker in much the same way as every hand basin carries a “now wash your hands” warning.