Windows XP ‘still widespread’ among healthcare providers

Microsoft ended Windows XP support a couple years ago, and any veteran security practitioner will remember the constant barrage of malware hurled their way through trivial exploits of the old OS.

But for various reasons — lack of financial resources and compatibility problems, for example — many organizations continue to use it. Case in point: the UK’s National Health Service trusts.

A report in Infosecurity Magazine reveals that 90 percent of NHS Trusts still run Windows XP. The publication cites a Freedom of Information Act request from Citrix in which more than half of respondents weren’t sure when they’d upgrade to a newer OS. Some 14% thought they’d do so by year’s end and 29% expressed hope that they’d shift to a more modern version of Windows at some point in 2017. Citrix got responses from 42 of the 63 trusts it approached.

From the article:

Unless these systems are being protected by virtual patching, they’ll be far more exposed to the threat of attack as Microsoft stopped issuing security updates for government PCs in April 2015.

This isn’t the first time institutions have been seen using Windows XP, and it’s certainly not a problem restricted to the UK.

The HIPAA Journal reported in June that researchers discovered malware infections through medical devices running on legacy systems at three hospitals. They found “a multitude of backdoors and botnet connections,” installed using “ancient” Windows XP exploits. Attackers compromised the machines even though the hospitals had modern, sophisticated defenses in place, the publication reported.

Capture Billing, a medical billing organization based in South Riding, Virginia, estimates on its website that one in four of the world’s PCs still run Windows XP and it’s likely many healthcare facilities need to “take corrective action” immediately. The company warns that such organizations might be violating HIPAA.

“If your medical practice has made any computer purchases within the past 12 years, you might currently be violating HIPAA and not even realize it,” the company says on the website.

Dr Harold Bornstein, longtime physician of president-elect Donald Trump, faced ridicule over the summer when a picture surfaced of him with a Windows XP screen clearly visible on his desk.

It’s easy to frown upon organizations that still use Windows XP. But in fairness, there are plenty of reasons why some have struggled to migrate to something newer. Financial restraints are often cited as a big reason, but another issue is compatibility.

Many healthcare operations, for example, rely on legacy systems that don’t play well with newer versions of Windows, making the changeover more complicated.

It’s also worth noting that in medical facilities, a lot of Windows XP boxes are not connected to the Internet, which makes them less of a security risk.