back to article NHS XP patch scratch leaves patient records wide open to HACKERS

Thousands of patient records could be left exposed to hackers, as up to 20 NHS trusts have failed to put an agreement in place with Microsoft to extend security support for Windows XP via a patch, The Register can reveal. The majority of trusts still operate Windows XP and have signed up to a £5.5m Cabinet Office agreement …

Page:

  1. johnaaronrose

    Force them to upgrade

    It seems to me that one way to make the 'naughty' ones get extended support or upgrade is to publish a list of the 'unupgraded' Trusts. Anybody have such a list?

    1. Anonymous Coward
      Linux

      Re: Force them to upgrade

      To Linux ?

      1. dogged
        FAIL

        Re: Force them to upgrade

        Hooray! That'll completely solve the problem in only 10-12 years!

        1. Anonymous Coward
          Anonymous Coward

          Re: Force them to upgrade

          Four of the large international banks I've been working with recently are still mostly on XP. They've never applied the latest patches but instead rely on AV, fire walls etc to keep them safe. Seems ot have been working for some time.

          OK, this is the NHS so the AV is probably crap and the fire walls poorly implemented..............

        2. Stretch

          Re: Force them to upgrade

          Doesn't solve anything. Just moves the lock in. By the time you move, not one coder will be left on any linux app you use. Average time to new Flavour Of The Month in Linux is about 3-4 months, then anything you have will be 'old' and 'lame' and no one will touch it, Grandad.

          A year ago all the linuxkids would have told you to rebuild all your apps using Ruby On Rails. Now none of them would touch that lame old solution...

  2. gazzton

    Thanks for the pearl of wisdom

    "An internet connection on a machine that carries sensitive data itself, or allows access to it, is probably most at risk," he said."

    I think you're probably right

  3. This post has been deleted by its author

    1. billat29

      Re: another example of copyright working against the public good

      Ah! The escrow racket. Eventually you get your hands on a bunch of files that will only compile on a back level version of an unsupported language.

      Then you are going to have to find people who will admit to remembering something about it and then they have to figure out ancient patched code to find out what it does (or doesn't) do.

      Good luck with that one.

    2. Gene Cash Silver badge
      Facepalm

      Re: another example of copyright working against the public good

      Are you f'ing serious? Do you really propose to support the Win XP codebase all by your lonesome?

      Did you not see the fiasco that resulted when Netscape opensourced all its code and it turned out to be a complete mess? Do you think *Windows* would be any better?

    3. Stuart Castle Silver badge

      Re: another example of copyright working against the public good

      Your idea is fine in theory. However, to maintain the code, someone would need the knowledge, the time, the inclination and the tools. None of those is a given. Look at Open SSH. Open Source, so the code is freely available. I'd argue that plenty of people have the knowledge required to maintain it. It is, I believe, built using Open Source tools yet, somehow, despite millions of people having the knowledge, tools and source code to maintain it, very few people did. And this was for a product used at the core of *many* large organisations and international companies.

      Having the source and the tools required to compile it freely available is no guarantee that someone will bother to maintain it.

  4. Chris Miller

    It all depends

    If you've got thousands of desktops still running XP, you've got a problem. If you have a handful of systems that don't connect to your main network or the Internet and don't hold high-value data, I'd struggle to justify the (significant) cost of paying for extended support.

    1. Anonymous Coward
      Anonymous Coward

      Re: It all depends

      It's already paid for.

      1. Ken Hagan Gold badge

        Re: It all depends

        "It's already paid for."

        Do you mean that the Cabinet Office has already paid the money (out of their own budget) and is merely looking for as many NHS Trusts as possible to "sign up" and thereby transfer that cost from the CO to the Trusts, thereby saving the CO officials the problem of explaining why they spent the cash?

        That would certainly put an interesting spin on their "sky is falling" rhetoric.

    2. Anonymous Coward
      Anonymous Coward

      Re: It all depends

      From what I've seen, the majority of NHS computers are essentially just running a terminal emulator anyway. I don't see how XP is any worse than anything else at hosting that.

      Also, end of support doesn't mean that suddenly it's all open for anyone to gain access. It just means that new holes won't be patched. It will still need a concerted attack to breach the perimeter defences before they can even start to attack individual PCs.

      Of course, I'm assuming that the sysadmins have already removed as much of IE as they can and certainly hidden the icons for it!

      1. Anonymous Coward
        Anonymous Coward

        Re: It all depends

        Terminal emulators are on their way out but you'd be surprised how many people working in IT in the public sector think that they can't upgrade to Win7 because they're using a 16 bit terminal emulator called Realink. Do these people never think to ask how the org next door, which used to use Realink, managed to get onto Windows 7?

  5. David Pollard
    Joke

    A Conspiracy Theory

    This is all deliberate. The plan is to have lots and lots of medical data leaked and to be able to pass the buck and blame someone else; in this case Microsoft who lots of people hate anyway. Then when it comes to questions about the new Care.Data database no one will have anything to lose.

    Icon because the alternative it to cry.

  6. Just Enough
    Boffin

    Incomplete data

    "18 trusts – including some larger authorities – have failed to sign the agreement"

    "74 per cent intend to have finished migration just before Microsoft withdraws extended support."

    So we have two subsets, but no indication of where they fail to overlap each other. So really no basis for concluding anything.

  7. Anonymous Coward
    Anonymous Coward

    So, El Reg, which NHS Trusts is it?

    The article says that responses to 140 FoI requests have been sent to El Reg. So who were the FoI requests sent to, what did they ask, and what do the responses say?

    There are 254 NHS Trusts listed here: http://en.wikipedia.org/wiki/List_of_NHS_trusts and I suspect that the total hasn't changed significantly since the list was compiled.

    So were FoI requests sent to *all* NHS Trusts? Did some fail to reply?

    Which NHS Trusts have confirmed that they have / have not signed up to the Microsoft agreement?

    I'm wondering because I got an interesting "data sharing" / Data Protection Act info sheet from my local NHS Trust last week when they sent me an appointment, and it does flag up that that although there is the "NHS", the name and logo is very much for show - there are an awful lot of very distinct legal entities operating under the "NHS" name/logo dealing with data for *every* patient, and so ensuring that access to your very personal and private information is safely (I know... it's all relative ;) controlled is worth thinking about.

    1. x 7

      Re: So, El Reg, which NHS Trusts is it?

      that list is incomplete - none of the primary trusts (the GP controlling trusts) are listed - and they are a big part of the problem

  8. Anonymous Coward
    Anonymous Coward

    name names

    so, which 20 trusts are without XP support then?

  9. the-it-slayer

    Current government + IT = not important / ignorant

    The problem is; we've got so used to IT overspends/failures/security leaks that this sort of thing in the general public eye gets ignored. Why should anybody's data be processed on an OS that's over 13 years old? It's darn crazy. The lack of any sort of integrated IT strategy is making things much more expensive than it actually needs to be. Hundreds of different managers making decisions on kit and OS replacement has resulted in chaos with the Gov trying to twist the arms of some possibly resisting the change.

    Although I don't want to piggy back off the scare mongering media about ISIS etc, but the threat of cyber criminals wanting to take more control by attempting to steal public data I can only imagine is increasing day-by-day. More reason to spend the money (and at least allow NHS trusts to have the budget to do a quick migration now rather than supporting XP for another few months). God knows what other software the NHS is using to update the data records which is not being updated due to software licensing or companies going bankrupt/not supporting the product. I guess the rabbit hole could be huge on this subject and we only see the surface of it.

    1. BlartVersenwaldIII

      Re: Current government + IT = not important / ignorant

      Computing isn't alone in this - it's a systemic problem whenever money is involved. Maintenance of any system costs money and, to the untrained eye, even after spending a fortune on "upgrades" and "urgently needed works" you end up exactly where you (think you) started. IT is just one of many crucial bits of infrastructure that's seen as a money pit and people will rarely want to spend time and money on it until it's already become an expensive catastrophe. I think it's just how many people are wired.

      Bit of a tangent, but episode 5 of Stewart Brand's excellent series "How Buildings Learn" touches on the same subject and looking back on it now (when I first saw it I was still in school) it's amazing how many of the lessons are directly applicable to IT (although probably not a coincidence as Brand comes from a computing background himself).

      http://www.youtube.com/watch?v=j_dozoqw4To

      1. the-it-slayer

        Re: Current government + IT = not important / ignorant

        I guess you're very right. Every company I've worked in apart from my current role (web tech firm) always saw IT has the bitter end of budget spending. Even a private school I once worked at didn't want to invest in a fibre line (to sort out the ADSL/SHDSL mess we had to support 250 students on site - 14Mbps shared over those students!?) to drastically improve internet access. Yes, the one time cost of install from BT was ridiculous, but we had no choice being in the middle of a field. It was the attitude of the management (even my boss being very good at standing a good case for expensive kit) couldn't convince them of the benefits of such a line to add extra services (to both students and teachers).

        NHS need to learn the arts of the open-source community (tools such as Chef/Chocolatey etc) fast if they need to catch up. You can do things on a budget, but need the skills. If NHS don't want to pay for the skills/expertise, then they're in a dead-end anyway to get out of the hole they're in.

  10. John Brown (no body) Silver badge

    Optional security?

    The Cabinet Office advice seems to be implying that continuing to use WinXP without a support agreement in place is a valid option so long as the risks have been assessed.

    If there are any WinXP machine which are the cause of sensitive data leaks then that would be criminal negligence on the part of the Trust since it would be pretty unbelievable that no one knew of the risks. Someone, somewhere in the trust has to have taken the decision to not spend the money upgrading or putting in a support agreement and that/those head(s) ought to roll when (not if) it happens.

  11. dogged
    Meh

    In before

    the usual calls for MS to support XP forever because they should! Because your car gets serviced for free every year forever after you buy it (or something)! And because all those people who think the NHS is a special case because it's so lovely already give up all their time working for the NHS for free because it's so lovely, obviously.

    1. Sven Coenye

      Re: In before

      But the car manufacturers do have to provide patches for a lot longer than MS is willing to.

      GM is replacing the defective ignition switches on models dating back to 1999, including brands that no longer exist. Toyota bought out a fleet of trucks with prematurely rusting frame rails going back to 1995.

      And while vehicles are a tad more expensive individually, the cost to upgrade a fleet of still adequately functioning computers will set you back a few nice cars easily.

      1. dogged

        Re: In before

        Yes they are. Note, however, that intel are NOT making motherboards for XP installs.

        1. Sven Coenye

          Re: In before

          That's OK as no one is talking about new XP installs.

          1. dogged

            Re: In before

            So when a board dies and you can't replace like-for-like, that's fine with you. Okay.

  12. Tim 11

    would that really make any difference?

    Here's a simple thought experiment:

    1. list at all the ways an attacker could try to get access to patient records

    2. remove from the list anything that does not depend on a known vulnerability which only exists in windows XP

    3. remove from the list anything where that vulnerability would probably not have been fixed by Microsoft even if XP were still in support

    Anything still left on that list? I bet it's a pretty small percentage

    1. the-it-slayer

      Re: would that really make any difference?

      That's a very arrogant way of seeing things.

      One point to squat all of those. The list of new unknown vulnerabilities that will never get patched because XP isn't supported anymore? NHS is a big risk knowing how much data there is in every NHS Trust system and it being publically in the spot light for not progressing to a supported OS version. Not just that, but a leverage system to push attacks on other systems used on wards etc.

      At the end of the day, the NHS should not have computer systems sitting on an OS that is 13 years old. End of. If you were in a big private sector business (finance etc); you'd be in the firing line for being that slow.

  13. Stretch

    Dumb Terminals.

    That is all.

    1. the_it_consultant

      Re: Dumb Terminals.

      The problem is that the NHS is riddled with 100's of unique applications and some of these are even home-grown. They rely on specific 'features' of the OS that might not exist in new versions.

      It's a massive task to upgrade all of their PC's to a new OS because each and every one of these applications would need to be tested. Any issues found during testing would need to be flagged and handed back over to the software authors (if they still exist) and all problems resolved before they can upgrade. That takes time and resource, something that the NHS is struggling to meet.

      In some cases, device running XP (or worse still Win2K - and yes they are still out there) are not exposed directly to the internet but of course they are still on the same network so could still be at risk. Removing access to the internet is one option but it's not enough...

      I feel for the NHS but I also think they are being complacent. They have to do something because to do nothing essentially exposes them to financial penalties. And we will all pay for those indirectly...

      BTW - I don't work for the NHS but I do work with them...

  14. Anonymous Coward
    Anonymous Coward

    How many...

    So how many Trusts were actively patching their XP estate before XP support ended, surely if this stat was known I don't think this would be such an issue. We have almost completed migration, but prior to this we only applied critical patches,very infrequently. We used enterprise level AV protection, not some free package and our firewalls were managed by a third party contract.

    So all these people that bang on about switching to Linux, how many clinical systems in an acute hospital will run on Linux? These people have obviously never worked in an acute hospital and probably manage an estate of 5 PC's running open office with no other systems.

    And people shouldn't underestimate the amount of effort required to migrate an estate of 4000 pc's and the cost of doing so and I am sure that given the choice between being treated in A&E and the machine the nurse is entering their details on being patched, they would choose the former.

    1. Andrew Meredith

      Re: How many...

      I wonder if anyone did the maths to calculate the costs to migrate to WIn 7 including hardware upgrades vs. migration to Linux which would likely not involve uprated hardware. The cost of the hardware versus the skills update to Linux, then lose forever the cost of licensing Windows.

      I know many people have a religious affection for Windows, but in many cases the hard headed financial calculation *should* make it a no-brainer these days; after all whole cities have switched wholesale to Linux and open source. Seems to me that if a whole city can do it.......

  15. Anonymous Coward
    Anonymous Coward

    And

    Wandering through Gatwick on my way home from a holiday last month I noticed a number of PC's, in what I would have thought are critical areas, still on XP. I would rather this was sorted before I fly again than someone find out that I broke my toe three years ago.

    1. Anonymous Coward
      Anonymous Coward

      Re: And

      Most of Heathrow's only just about migrating off XP now...

      http://www.airport-technology.com/contractors/consult/arinc/pressheathrow-arinc-passenger-processing-services.html

    2. Ken Hagan Gold badge

      Re: And

      Do you suppose those machines (in public areas) had an internet connection, or that the logged in user had administrative rights, or that there were exposed USB sockets still configured to autorun? Are you sure they weren't the embedded edition or the server edition?

      1. gh4662

        Re: And

        Oh, so PC's can only get viruses if they are connected to the Internet, so I have been worried about viruses that spread via LAN for no reason.... Phew

  16. Colin Tree

    secure, portable patient records

    The whole concept of centralised records is flawed. We might bang on about XP, but that's only one issue. The more complicated the system the more possibilities of failure. We have seen government medical systems costing too many $millions and failing spectacularly.

    If you hold our own medical records on a usb stick. Go for medical treatment anywhere, you have your complete medical history available and it gets updated with each visit to any doctor or medical service.

    Could contain images, scans, EEG records, pathology results, doctors notes, medication prescribed and dispensed, etc. A more intelligent unit could be programmed to remind you when and how to take medication or give appointment reminders, or in emergencies transmit a medi-alert.

    Take it home and back it up encrypted on your home computer. You run a virus scan on your own stick, the medical centre does a virus check on your stick, hopefully your stick doesn't get sick.

    We rely too much on centralised servers. If your computer gets hacked the hackers get one encrypted record, not a worthwhile target. It is worth the hackers effort to get an organisations server with thousands of records.

    1. Ken Hagan Gold badge

      Re: secure, portable patient records

      USB sticks? Really?

      Look at it from a doctor's point of view. You are about to recomend a course of action that might seriously harm some patients, but because you can trust the medical records you know that this patient will seriously benefit. Now let those records be the responsibility of the patient.

      Look at it from an insurance company's point of view. How long would it be before we saw programs to let patients "correct mistakes" in their medical records.

      No. I'm afraid centralisation makes a lot of sense for medical records. It just needs to be done securely. Sadly, most governments seem to look at our medical records as a cost that hasn't yet been recouped by flogging them onto to all and sundry, and maintaining our privacy as merely a way to preserve the value of those records prior to the sell off.

  17. J 7

    Much hot air been expended here by people who should know better. Its amazing how much gibberish the pairing of "NHS" and "IT" creates.

    There are a number of underlying issues here, but the two main ones are due to the various goverment's fractionalising policies over the last 15 years which have led to reduction in size of organisational units, and the depletion of management skills. The worst of these was the dismembering of the PCTs and their replacement with GP-led CCGs. What did that achieve? The emasculation of any decent management within the NHS and its replacement by a bunch of empire-building ego-driven GPs, each with their own little private fiefdoms. There are several quality software suppliers to the NHS trying to bring order to the current chaos by offering upgrade routes, but finding themselves blocked by inept NHS management.

    So why the delays in implementing Windows 7?

    1) GP-led CCGs not seeing it as a priority. They prefer to spend their money on fancy offices

    2) Fragmentation. There are too many contact points within the NHS to deal with, making finding someone to whom we can sell an upgrade solution damn difficult

    3) Software issues. While most of the major clinical recording software packages will run on Windows 7, some will not, even now. Thats one of the reasons CSC left the GP market two years ago. Other suppliers have had a torrid time - one widely used package uses partly 8-bit CP/M code running in an emulator. Happily that package is now in the process of being killed off and replaced with a cloud solution, but its a hard job weaning the users off the old code.

    Many other examples exist: a lot of plug-in software such as online test requests only work with Internet Explorer 7 or 8. IE9 or 10 kills the java routines. The NHS identity card software will only work with Java 6 v17. Anything newer kills it. The depreciation database used by a lot of Northwest trusts as a Citrix application will not work with a version of MSOffice newer than 2007.

    The list goes on and on.......the problem is each trust has its own collection of software, much of it with a relatively small number of users on a national scale, but significantly locally. And many of these routines duplicate each other pointlessly. How many different labelling programs do you need? How many clinical systems do you need?

    Its time for the government - or someone in authority to pull rank, knock heads together and order the CGGs what to do - with the threat of sanctions / sacking if they don't

    1. gh4662

      A voice of reason at last.

  18. x 7

    There is of course the elephant in the room which no-ones mentioned........most NHS servers are Win2003 and a lot of the software running on them isn't compatible with 64-bit Windows.

    You can't purchase 32-bit windows servers any more.....

    This is likely to be a bigger problem in terms of risk than the XP problem

    1. Ken Hagan Gold badge

      "a lot of the software running on them isn't compatible with 64-bit Windows"

      I'm intrigued. Apart from the obvious but unlikely method of retrieving the Windows version string and copping out if you see the word "server", how does one go about writing 32-bit software that doesn't run on a 64-bit server platform's 32-bit layer. I don't think I've ever bumped into a program that didn't, so even if it possible I still doubt whether it is common.

      And a follow-up question: With regard to all of the *technical* problems ... nearly all of the same problems must have been faced by all of the large enterprises that were using XP/2k3 ten years ago and which have since managed to migrate. So how did they do it? Is the NHS facing a qualitatively different challenge from big business, or are we just facing a severe case of "I only started thinking about it last year."?

      1. x 7

        " how does one go about writing 32-bit software that doesn't run on a 64-bit server platform's 32-bit layer"

        because much of it is 16-bit. Not 32-bit

        Or as I mentioned earlier for one well-used program, 8-bit code running in a bespoke emulator

        1. Ken Hagan Gold badge

          Re: 16-bit software

          If we're talking about 16-bit software, but insisting that they are a migration headache, we're talking about a 16-bit *app* that nevertheless has been coded in such a way that it must run on a Server edition of Windows (since 32-bit Client editions certainly still exist).

          So I think I'm still curious. WTF are these hideous crocks?

      2. x 7

        "Is the NHS facing a qualitatively different challenge from big business, or are we just facing a severe case of "I only started thinking about it last year.""

        The NHS suffers in comparison with big business in being so fractionalised. You don't deal with the NHS as a single business - you deal with an ever-changing cascade of myriad NHS Trusts, CCGs, CSUs and individual surgeries, each with their own independent ideas of what they want (usually misguided). This results in a complex mix of software with each surgery often having a bespoke combination. Things are slowly consolidating as the CSUs pull more weight and begin to dictate to the GPs as to what they can have. However it makes it very hard for any contracting company to find someone to deal with who actually knows what they are talking about, and who has access to the purse strings.

        However the real problem is not "I only started thinking about it last year", but more "I'm a GP why should I worry about it". Most NHS management is too bothered with plush offices, political infighting, hitting budgets and reducing staff. Replacing computers doesn't get a look in.

  19. Henry Wertz 1 Gold badge

    How about they patch them then?

    So, how about they just go ahead and patch them then?

    "Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]

    "Installed"=dword:00000001

    "

    Once that is slapped onto a (32-bit) XP system, XP shows up to Windows Update as "POSReady 2009." Since Microsoft was (absurdly IMHO) still selling this XP SP3-based software in 2009, they are roped into providing updates until at least April 2019. If you're actually running 64-bit XP, there's a slightly different but equivalent registry edit for that.

    1. x 7

      Re: How about they patch them then?

      why not? Because the code for Windows embedded is not the same as XP and the patches may well cause more problems than they save.

      whatever you may say, theres a heck of a difference between a version of windows built for a sales till or cash machine, and for a desktop computer. It may be OK for a home user to risk, but in a supposedly secure environment doing what you suggest simply offers even more risk

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like