CRN FoI data lifts lid on NHS Windows XP usage

Freedom of Information (FoI) data released by CRN in March found that nearly five per cent of NHS computers are still running XP, a figure that has taken on added significance in the wake of the ongoing WannaCrypt (aka 'Wannacry') ransomware attack.

The NHS' continued reliance on unsupported operating systems, including XP, alongside a lack of patching, has been in sharp focus since WannaCrypt struck on Friday.

So far, 47 NHS organisations have been hit by the malicious software, which demands a $300 (£232) payment from users to restore access to their documents.

A full breakdown of the FoI data, which was based on FoI requests sent to all 161 NHS Trusts in December, can be found in our recent Healthcare Report.

Of the 102 Trusts that replied, 51 per cent ran Windows XP in some form, despite Microsoft ending support for the OS in 2014 and ceasing custom support to the UK government a year later.

In total, 4.7 per cent of NHS machines still use XP, the research found, a figure that the NHS itself has since quoted.

Two trusts had 50 per cent and 53 per cent of their estates on XP respectively, and one had 76 per cent of its IT estate on the operating system.

XP 'a factor'

Windows XP did not have a patch against the Microsoft vulnerability until Microsoft took the "highly unusual" step of releasing one on Friday.

The extent to which XP was the source of the vulnerability in the NHS is being hotly debated this morning, but security blogger Graham Clulely told CRN that the fact many trusts are still running the 16-year-old OS is a factor.

"The existence of so many XP machines in the NHS underlines the fundamental problems with the computer security of the NHS, which is that they are very reliant on older computer technology," he said.

"I totally understand some of the reasons why they still haven't updated some of those devices. It may be that they have other, more expensive medical equipment running off those XP computers and it's a case of 'we can't just upgrade this equipment because then we can't operate the X-ray machine or MRI scanner, because we don't have the drivers'. But an attack like this really underlines that something has to be done. You only need one vulnerable XP device in the chain for the whole system to go down."

Microsoft released a patch for the vulnerability - which was stolen from the US National Security Agency - in March, and Cluley also said it appeared that not all NHS trusts had acted on this.

"I think Windows XP is a factor, but I think the fundamental problem would appear to be that many computers simply were not patched with a critical fix which Microsoft issued two months ago," he said. "If Microsoft declares publicly 'we have a critical issue with our software and we're telling everyone to apply this patch ASAP', then all organisations should have put the effort into rolling that out as much as possible, and it sounds like this didn't happen in some parts of the NHS. I don't criticise the IT support teams in the NHS as they probably have the most complicated IT security job in the country."

47 Trusts hit

NHS England said in a statement last night that it has been working with 47 organisations that had been struck by WannaCrypt.

"Most have found ways of working around this but seven, including St Barts in London, have asked for extra support," NHS incident director Dr Anne Rainsberry said.

NHS Digital, meanwhile, stressed that the vast majority of NHS organisations report that they are running contemporary IT systems.

"However, it is true to say that a very small percentage of organisations are still in the process of upgrading all their devices from older operating systems; but where this is the case there are simple steps that can be taken to protect against cyber threat," it added in a statement on its website yesterday.

So far, WannaCrypt is thought to have hit over 100,000 organisations in 150 countries.

As of 11am this morning, the three Bitcoin wallets tied to the WannaCry ransomware had received 171 payments totalling $47,510.71, according to @actual-ransom.

Cluley urged against complacency, and criticised government ministers who have proclaimed that the NHS has put up a robust defence.

"How can you even tell that?" he said. "This has just happened. You've got no way of assessing how well you are now protected against this.

"We are now beginning to see other variants of the ransomware coming out, and we have to hope that systems are better protected than they were last week. I imagine we are not going to see as big an outbreak again this week, but that's not to say that other systems won't go down."

• Tweet  
• Facebook  
• LinkedIn  
• Send to  

• Topics
• Security
• Wannacrypt
• Wannacry
• Security Hub