NHS Denies Widespread Windows XP Use

WannaCry Ransomware Outbreak Impacted Less-Prepared Organizations, Experts Note
NHS Denies Widespread Windows XP Use

The massive WannaCry ransomware outbreak that began May 12 has led to allegations that some organizations - especially in the public sector - were less well-prepared for the attacks, perhaps because of inadequate IT investments or the use of outdated and unsupported Windows operating systems.

See Also: OnDemand | Adversary Analysis of Ransomware Trends

In Britain, for example, the National Health Service, or NHS, has vigorously denied reports that its systems were so widely infected due to widespread Windows XP use.

Windows XP remains the world's third most-used operating system, accounting for 7 percent of all endpoints, compared to Windows 7 at 49 percent and Windows 10 at 26 percent, according to market researcher NetMarketShare. Microsoft, however, stopped supporting XP with security updates and patches in 2014.

Desktop operating system market share, April 2017. (Source: NetMarketShare)

Regardless of what operating system is being used, widespread infections at NHS trusts in England and Scotland, as well as doctors' offices and hospitals, led to allegations that government officials failed to properly invest in information technology.

Apparent Culprit: Unpatched Windows 7

Based on new information, however, part of the problem appears to be that many NHS trusts haven't installed the latest Windows 7 patches.

"I think what is also becoming clear is that the NHS impact was a result of lack of patching Windows 7 rather than outdated XP," Alan Woodward, a professor computer security at the University of Surrey, and a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol, tells Information Security Media Group.

"If this is the case, then it shows that there is a lack of resources across the NHS IT estate," he adds.

On May 13, the NHS issued a statement responding to "widespread speculation about the use of Microsoft Windows XP by NHS organizations, who commission IT systems locally depending on population need."

But the NHS says that most of its systems are currently still receiving patches and security updates from Microsoft.

"While the vast majority are running contemporary systems, we can confirm that the number of devices within the NHS that reportedly use XP has fallen to 4.7 percent, with this figure continuing to decrease," the statement reads.

"This may be because some expensive hardware - such as MRI scanners - cannot be updated immediately, and in such instances organizations will take steps to mitigate any risk, such as by isolating the device from the main network."

Windows XP Transition Strategy

The government has long been urging trusts to dump outdated Windows systems.

In April 2014, the U.K. government's Cabinet Office and the NHS issued an urgent call to all NHS trusts to migrate off of Windows XP, saying that it had secured a deal with Microsoft to buy them 12 months' respite.

"The Department of Health (DH) and Crown Commercial Services (CCS) have now concluded a new agreement with Microsoft. This makes Custom Support for Windows XP SP3, Office 2003 SP3 and Exchange 2003 SP2 available to any NHS organizations that require it until 14 April 2015; whilst migration away from Microsoft XP is undertaken," reads the Cabinet Office statement, dated April 8, 2014.

But the government continues to face tough questions over how much new funding it has allocated to subsequent migration and information security efforts.

Britain's governing Tory party has issued a statement saying it's given the NHS £50 million ($64 million) for IT funding, but it's not clear when exactly that money was allocated or if it's enough.

Cybersecurity expert Chris Pierson, CSO and general counsel for payment technology firm Viewpost, tells Information Security Media Group that health services and organizations in at least a dozen countries have been affected by WannaCry.

But he says that's no surprise, given that "healthcare computers are usually always on, less frequently patched due to their role in the healthcare process, and oftentimes hospitals and clinics are lagging behind on cybersecurity controls."

Law Enforcement Responds

Meanwhile, law enforcement agencies, including Europol, say they are hunting for the culprits behind the WannaCry campaign.

The U.K.'s National Cyber Security Center, which includes the country's computer emergency response team, says: "NCSC is working with affected organizations and partners to investigate and coordinate the response in the U.K."

In the United States, meanwhile, the Department of Homeland Security's U.S. Computer Emergency Readiness Team also issued an alert on the Microsoft SMBv1 vulnerability and reiterated longstanding advice for combating ransomware.

The U.S. Department of Health and Human Services has said it's been working with the healthcare sector to help it respond. It has also urged organizations to beware of email-borne threats on the heels of reports that Telefonica's WannaCry outbreak appeared to begin after an employee received the ransomware attached to an email.

Beware Monday Morning

Some security experts predicted that new WannaCry infections will spike on May 15.

Europol Director Rob Wainwright told the "Preston on Sunday" new program in Britain that more than 200,000 endpoints in 150 countries had been infected as of May 14, and that he is worried that many more could be infected when workers return to their office on May 15 and power up their systems.

From a strategic standpoint, however, Wainwright says that one lesson to be learned from these attacks centers on preparation. For example, he notes, "very few banks, if any, have been affected by this."

Of course, that's no accident. "They've learned through painful experience of being the No. 1 target for cybercrime, and I think the health sector and others should follow the example of some others so that they now sit up and take notice of what is absolutely a huge, strategic concern," Wainwright said.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.