CRN FoI data lifts lid on NHS Windows XP usage

Doug Woodburn
clock • 4 min read

Security blogger Graham Cluley tells CRN that XP is a factor behind NHS ransomware crisis following CRN FoI request showing that 4.7 per cent of NHS machines are still running XP

Freedom of Information (FoI) data released by CRN in March found that nearly five per cent of NHS computers are still running XP, a figure that has taken on added significance in the wake of the ongoing WannaCrypt (aka 'Wannacry') ransomware attack.

The NHS' continued reliance on unsupported operating systems, including XP, alongside a lack of patching, has been in sharp focus since WannaCrypt struck on Friday.

So far, 47 NHS organisations have been hit by the malicious software, which demands a $300 (£232) payment from users to restore access to their documents.

A full breakdown of the FoI data, which was based on FoI requests sent to all 161 NHS Trusts in December, can be found in our recent Healthcare Report.

Of the 102 Trusts that replied, 51 per cent ran Windows XP in some form, despite Microsoft ending support for the OS in 2014 and ceasing custom support to the UK government a year later.

In total, 4.7 per cent of NHS machines still use XP, the research found, a figure that the NHS itself has since quoted.

Two trusts had 50 per cent and 53 per cent of their estates on XP respectively, and one had 76 per cent of its IT estate on the operating system.

XP 'a factor'

Windows XP did not have a patch against the Microsoft vulnerability until Microsoft took the "highly unusual" step of releasing one on Friday.

The extent to which XP was the source of the vulnerability in the NHS is being hotly debated this morning, but security blogger Graham Clulely told CRN that the fact many trusts are still running the 16-year-old OS is a factor.

"The existence of so many XP machines in the NHS underlines the fundamental problems with the computer security of the NHS, which is that they are very reliant on older computer technology," he said.

"I totally understand some of the reasons why they still haven't updated some of those devices. It may be that they have other, more expensive medical equipment running off those XP computers and it's a case of 'we can't just upgrade this equipment because then we can't operate the X-ray machine or MRI scanner, because we don't have the drivers'. But an attack like this really underlines that something has to be done. You only need one vulnerable XP device in the chain for the whole system to go down."

Microsoft released a patch for the vulnerability - which was stolen from the US National Security Agency - in March, and Cluley also said it appeared that not all NHS trusts had acted on this.

"I think Windows XP is a factor, but I think the fundamental problem would appear to be that many computers simply were not patched with a critical fix which Microsoft issued two months ago," he said. "If Microsoft declares publicly 'we have a critical issue with our software and we're telling everyone to apply this patch ASAP', then all organisations should have put the effort into rolling that out as much as possible, and it sounds like this didn't happen in some parts of the NHS. I don't criticise the IT support teams in the NHS as they probably have the most complicated IT security job in the country."

47 Trusts hit

NHS England said in a statement last night that it has been working with 47 organisations that had been struck by WannaCrypt.

"Most have found ways of working around this but seven, including St Barts in London, have asked for extra support," NHS incident director Dr Anne Rainsberry said.

NHS Digital, meanwhile, stressed that the vast majority of NHS organisations report that they are running contemporary IT systems.

"However, it is true to say that a very small percentage of organisations are still in the process of upgrading all their devices from older operating systems; but where this is the case there are simple steps that can be taken to protect against cyber threat," it added in a statement on its website yesterday.

So far, WannaCrypt is thought to have hit over 100,000 organisations in 150 countries.

As of 11am this morning, the three Bitcoin wallets tied to the WannaCry ransomware had received 171 payments totalling $47,510.71, according to @actual-ransom.

Cluley urged against complacency, and criticised government ministers who have proclaimed that the NHS has put up a robust defence.

"How can you even tell that?" he said. "This has just happened. You've got no way of assessing how well you are now protected against this.

"We are now beginning to see other variants of the ransomware coming out, and we have to hope that systems are better protected than they were last week. I imagine we are not going to see as big an outbreak again this week, but that's not to say that other systems won't go down."

You may also like

Technology and Trends

Amazon hits $1tn valuation, WannaCry hacker is finally caught and scientists discover a cheaper alternative to recycling plastic

clock 10 September 2018 • 2 min read

Public Sector

Five-year contract will see Bytes roll out Windows 10 licences to over one million NHS users

clock 30 April 2018 • 2 min read

Public Sector

Public sector body increases security following WannaCry disaster in May

clock 27 November 2017 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Leading Cyber founders tackle UK cyber sector's biggest challenge

Leading Cyber founders tackle UK cyber sector's biggest challenge

With more women leaving the industry than ever before due to poor management, former reseller chief Annabel Berry, and business partner Danielle Phillips aim to reverse that trend with their new mentoring and leadership platform

clock 21 May 2024 • 3 min read
Welsh government launches UK's first national SOC

Welsh government launches UK's first national SOC

Welsh government unveils new scheme to protect its public sector organisations and the data of its citizens from cyberattacks

Kelsey Rees
clock 10 May 2024 • 2 min read
Cybersecurity Festival 2024: Four ways to cut your cyber insurance premiums

Cybersecurity Festival 2024: Four ways to cut your cyber insurance premiums

Certifications mean nothing without action

clock 09 May 2024 • 4 min read


Staff & Salaries 2022

Staff & Salaries 2022

A snapshot of pay and headcount trends in the UK channel

Doug Woodburn
clock 09 March 2022 • 1 min read
Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Stephen Fenby talks to CRN after Midwich’s 2021 results in which profitability exceeded pre-pandemic levels

Josh Budd
clock 08 March 2022 • 3 min read
4 more vendors suspend sales in Russia following Ukraine invasion

4 more vendors suspend sales in Russia following Ukraine invasion

IBM and Microsoft are among a number of vendors which have also announced that they will halt sales in Russia following the invasion of Ukraine.

clock 08 March 2022 • 3 min read