Is it time to pull life support from legacy software, both at operating system and application level? If you are looking at this issue from a purely security-focused perspective, that time was in fact a while ago.

Yet the NHS legacy threat refuses to die. Support for Windows XP was withdrawn in April 2014 but as many as 20% of NHS organisations could still be relying upon it as their primary operating system, and around 90% are thought to run something on it somewhere in the organisation.

I’d be willing to bet what little I have that you could apply that to Windows Server 2003 and unsupported legacy applications as well. Something must change, and change before something gives way. And by the latter ‘something’ I really mean security.

The insecure triumvirate

Yes, I’m aware that cybersecurity is but one small cog in the gears that are grinding down the NHS. It exists alongside staffing issues, bed availability, patient numbers ever-increasing, and financial deficits ever-looming.

But here’s the thing: with the healthcare sector firmly on the cybercrime radar and being targeted by ransomware extortioners and data-stealing thieves alike, cybersecurity has never been more important for the NHS. Out of date technology does not help matters, and (albeit entirely anecdotally) I have heard it is not uncommon for hospitals to have more legacy applications than beds.

Nobody is saying it’s easy to upgrade from legacy operating systems which are often driving expensive pieces of old hardware and running applications that themselves have long-since seen any support from the developer. Replacing one part of the insecure triumvirate often requires the replacement of the others as well.

The cost to the organisation – and it’s as true for an NHS trust or GP surgery as it is for any business – goes way beyond the obvious and financial. There’s testing time to consider when talking about hardware or applications that might have a direct impact on patient care, and the time to train staff to use the new operating system, application or device. That’s assuming there even is a workable alternative to what is currently being used.

Head in the sand is not an option

Yet it’s not something that trusts are going to be able to ignore forever. Windows Server 2003 is long past its sell by date – Microsoft extended support ended on July 14 2015 – but it’s still being used in numerous trusts.

The NHS itself, with key systems such as the spine and summary care record requiring out-of-date browser clients, does not come away looking good either. I’ll throw GP practices into the mix as well, and say that all of healthcare needs to buck its ideas up and start walking the security walk rather than just talking a good fight.

Just sticking with Microsoft, Windows Vista extended support is ending on 11 April 2017 and Windows 7 (plus Windows Server 2008) follows on January 14 2020. Mainstream support for Windows 8 and Windows Server 2012 goes on January 9 2018, with extended support dead from January 2023. The full list of Microsoft products reaching end of support status this year is a very long one.

Why is this still a problem?

So why is the legacy threat still here? Why has it not been dealt with as the NHS reinvents itself as a digitally aware organisation that can harness the latest tech to cut costs and improve patient care? Whatever happened to the promised blitz on removing obsolete technology from the NHS that was touted by former parliamentary under-secretary for health George Freeman just last year, following the Caldicott report on data security and information governance? What the hell has gone wrong?

The answers are as obvious as they are depressing: an infrastructure built upon a lack of true forward thinking, improvements held back by a lack of funding, and perhaps most importantly a lack of any real sense of urgency from those who control the purse strings at the highest level.

It is broke, and you do need to fix it

Then there’s the understandable, though I would argue misplaced, adoption of an ‘if it ain’t broke’ mentality to legacy systems – despite them being far from ‘not broke’ under the surface. I have even heard the argument, and far more regularly than I’d like, that the old systems contain data vital to patient care. Data, the argument goes, that might be lost if the system were migrated to something new.

Never mind that the same data might be exfiltrated by God-knows-who exploiting vulnerabilities that only exist because somewhere in the chain of codes that runs the thing a patch has not been applied (nor is available). As I, and a bunch of lawyers, have been musing hereabouts lately, the EU General Data Protection Regulation (GDPR) could bring this cyber-chicken home to roost from next year.

Legacy systems that cannot be replaced, for whatever reason, must be hardened against attack. A risk audit should be a matter of course to identify which systems might fall into this category, and what the implications of neither replacing nor hardening might be.

What do I mean by hardening a system? Easy – applying ‘virtual patching’ to provide intrusion detection and prevention, for example, or running the application itself as a virtual machine within a more secure operating system (Windows Server 2003 can be run inside a virtual machine on Windows Server 2012). Additional security controls are recommended to reduce the threat surface as much as possible – change monitoring/file integrity monitoring software being one such example. Restricting access by closing unused ports, and only allowing permitted applications to run on a legacy system using application whitelisting is another.

Quite simply, doing nothing is not an option…