10.11.14
Trusts ‘at risk of hacking’ after failing to extend Windows XP support
There are 18 NHS trusts still using Windows XP that failed to sign up to a government agreement with Microsoft to extend security support for the operating system.
In April, the Cabinet Office sent out a letter headed ‘Urgent Action’, telling all trusts that it had negotiated an agreement extending support of Windows XP for the entire public sector, but to benefit from the continued Security Patch downloads, trusts needed to put a ‘Premier Services Agreement’ in place with Microsoft.
The letter said: “If you have not migrated away from Microsoft XP then you must urgently take out a PSA to continue to access critical and important security updates beyond 8 April 2014.
“It is imperative that your organisation clearly understands the risk that is placed on it should the decision be not to take out a PSA,” the letter added.
However, FOI requests and analysis by The Register IT website have recently revealed that while the majority of trusts who still use XP have put an agreement in place, 18 failed to arrange a PSA and therefore have not received Security Patch downloads since April.
The deadline for the PSA was prior to the first full patch release on 13 May.
According to the FOI requests, some trusts have up to 4,500 machines running Windows XP with no security patches in place and a total of 1.1 million PCs and laptops are estimated to be running XP at trusts, GPs and other NHS groups in England.
David Harley, a former NHS IT manager who now works as a senior researcher with net security firm ESET, told The Register that it was impossible to gauge the full extent of the security implications of trusts failing to sign the PSA. The level of risk will depend on the context for which the machines are used, he said.
“If there is an internal network connection (even sneakernet), the risk increases, but that risk may depend on how many non-upgraded machines are on the network, the effectiveness of perimeter defences, the availability of suitable exploits to a potential attacker, and so on. An internet connection on a machine that carries sensitive data itself, or allows access to it, is probably most at risk.”
NHE contacted NHS England for comment but they had not responded by the time of publication.
When the agreement was first signed, a Microsoft spokesman told NHE’s sister title Public Sector Executive: “We have made an agreement with the CCS to provide eligible UK public sector organisations with the ability to download security updates to Windows XP, Office 2003 and Exchange 2003 for one year until 14 April 2015.
“Agreements such as these do not remove the need to move off Windows XP as soon as possible.”
Tell us what you think – have your say below or email [email protected]