Hospitals across England are running thousands of out-of-date Windows XP machines, potentially putting patient data and other sensitive information at risk.
Motherboard has found that at least 42 National Health Service (NHS) trusts in England are still using the Windows XP operating system, with many of them confirming that they no longer receive security updates for the software. Legal experts say that the NHS hospitals may be in breach of data protection regulations.
"If hospitals are knowingly using insecure XP machines and devices to hold and otherwise process patient data they may well be in serious contravention of their obligations," Jon Baines, Chair of the National Association of Data Protection and Freedom of Information Officers (NADPO), wrote in an email.
In April 2014, Microsoft officially ended support for Windows XP, meaning that the company would no longer release security patches for the aging operating system. Any vulnerabilities discovered after that date would therefore be left for hackers to exploit. Governments and businesses could pay Microsoft for a custom extended support deal; the Crown Commercial Service, which is sponsored by the Cabinet Office, spent £5.5 million ($9 million) to continue receiving updates for the public sector, including for the NHS. That agreement ended in April 2015 and was not renewed.
"If you do not apply security updates to a system's software, it will become progressively more vulnerable over time"
The Cabinet Office directed questions to the Department of Health, which said in an email that, "In April 2014, the Department of Health and the Cabinet Office wrote to all NHS Trusts stressing the urgent need for them to move away from using Windows XP, and offering transition funding. The National Data Guardian, Dame Fiona Caldicott, has made clear the need for health and care organisations to remove unsupported operating systems."
Motherboard filed Freedom of Information Act (FOIA) requests with just over 70 NHS hospital trusts, asking how many Windows XP machines they currently own, maintain, or use. Forty-eight replied within 20 working days, the time allotted by the FOIA.
Forty-two of those said they were still using Windows XP machines. Three neither confirmed nor denied they held the information requested, claiming it would jeopardise the health and safety of their patients.
Motherboard then asked the hospitals that still used XP machines if they had purchased a support agreement with Microsoft. All but one of the 23 hospitals that replied by the time of writing said they had not purchased extended support.
For example, East Sussex Healthcare has 413 XP machines, Sheffield Children's Hospital has 1,290, and Guy's and St Thomas' NHS Trust in London has an incredible 10,800 computers running Windows XP, all of which are not receiving security updates.
Tim Turner, a former Information Governance advisor in the NHS who now trains organisations on data protection and FOIA, told Motherboard in an email that,under the Data Protection Act, organisations have to prove they have taken appropriate technical measures to keep information safe.
"I think it's self-evident that using an effectively obsolete operating system isn't appropriate," he added.
"We like to imagine even updated Windows XP platforms [are] like an unlocked Honda Civic from the 1980s"
When asked for comment, the Information Commissioner's Office (ICO), the independent body that upholds data protection law in the UK, pointed to several of its previous posts about data protection and out-of-date software.
"If you do not apply security updates to a system's software, it will become progressively more vulnerable over time as more security flaws are discovered and methods for exploiting them become more widely-known. The same situation will arise when the developers discontinue technical support for a software product, which normally means that no more security updates will be available," the ICO wrote in one document published in May 2014.
Financially-motivated hackers have targeted hospitals before, particularly in the US. A source from The Dark Overlord, a hacker or group of hackers that has recently stolen data from medical organisations for ransom, summed up how much of a security issue using out-of-date Windows XP machines might pose.
"We like to imagine even updated Windows XP platforms [are] like an unlocked Honda Civic from the 1980s," they told Motherboard in an online chat.
However, at least some of the hospitals do have other security mechanisms in place. Mary McConnell, a communications officer from the Royal Free London NHS Foundation Trust, which reported that it had 181 Windows XP machines without security updates, told Motherboard that the hospital had "anti-virus software, encryption, intrusion detection, firewalls and a DMZ." (A DMZ is an additional layer of security on an organisation's network.)
Some of the hospitals said they planned to update their XP machines to a current operating system by the end of the year. One trust that responded to the FOIA request had already upgraded a large number of its computers.
Caldicott, the National Data Guardian, published a complete an independent review of data security in the English health and care system in July, with the purpose of developing new security standards. The Department of Health said it will respond to that review later in the year.
Microsoft declined to comment beyond one of its blog posts stating that Windows XP would no longer be supported.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.