Hundreds of Thousands of Patient records lay vulnerable to cyberattacks after Trusts under the National Hospital Service failed to extend security support for outdated Windows XP. Trusts that are yet to upgrade to windows 7 or 8, risk attacks from hackers who reverse engineer security updates for the new OS to exploit vulnerability in unsupported Windows XP.
Currently, over 85% of NHS trusts run on outdated Windows XP with a majority of the trusts depending on a Microsoft patches and security updates for the outdated OS. Trusts were required to sign a Premier Services Agreement (PSA) with Microsoft in order to access periodic patches and security updates, but apparently 18 trusts failed to sign the pact.
Microsoft first signaled the end of commercial support for windows XP in 2007, with mainstream support ending in 2009 and extended security ending in April 2014. Governments and organization who were yet to upgrade to newer OS version were required to sign the PSA agreement by 31st May 2014 for another extension period of one year.
“If you have not migrated away from Windows XP, Security Patch downloads will only become available to organizations once you have put a Premier Services Agreement (PSA),” read a warning letter sent NHS trust by the cabinet office earlier this year. “It is imperative that your organization clearly understands the risk that is placed on it should the decision be not to take out a PSA.”
Technically, the end of commercial support for Windows XP means that Microsoft would stop releasing security patches and security updates for the operating system, meaning that security holes discovered past the support period go unattended.
Microsoft warned customers still on outdated XP that hackers would come gun blazing with all types of exploits after the end of commercial support. “Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have zero-day vulnerability forever,” said Tim Rains, the director of Microsoft’s Trustworthy Computing group.
The risks of running a non-supported operating system vary depending on the sensitivity of information on the network and more importantly on the quality of Technical expertise available to different organizations.
The “risk may depend on how many non-upgraded machines are on the network, the effectiveness of perimeter defenses, the availability of suitable exploits to a potential attacker, and so on,” said David Harley, a former NHS IT manager, currently working as a researcher at ESET security firm. “An internet connection on a machine that carries sensitive data itself, or allows access to it, is probably most at risk.”
Earlier this the year, the government signed a £5.5 million deal with Microsoft to extend support for windows XP for organizations still running on the outdated OS. Apparently, public service organizations are yet to upgrade to newer Operating systems 8 months past the 12 month grace period extended by Microsoft. Asked as to why the upgrade is yet to take off, the cabinet office said the process is “complex and Costly” adding that all public sector organizations will have upgraded by the April 2015 deadline.
Written by: Ali Qamar, Founder/Chief Editor at SecurityGladiators.com
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at SecurityGladiators.com, an ultimate source for worldwide security awareness having supreme mission of making the internet more safe, secure, aware and reliable.