Davey Winder: the problematic legacy of the NHS
- 8 May 2017
Is it time to pull life support from legacy software, both at operating system and application level? If you are looking at this issue from a purely security-focused perspective, that time was in fact a while ago.
Yet the NHS legacy threat refuses to die. Support for Windows XP was withdrawn in April 2014 but as many as 20% of NHS organisations could still be relying upon it as their primary operating system, and around 90% are thought to run something on it somewhere in the organisation.
I’d be willing to bet what little I have that you could apply that to Windows Server 2003 and unsupported legacy applications as well. Something must change, and change before something gives way. And by the latter ‘something’ I really mean security.
The insecure triumvirate
Yes, I’m aware that cybersecurity is but one small cog in the gears that are grinding down the NHS. It exists alongside staffing issues, bed availability, patient numbers ever-increasing, and financial deficits ever-looming.
But here’s the thing: with the healthcare sector firmly on the cybercrime radar and being targeted by ransomware extortioners and data-stealing thieves alike, cybersecurity has never been more important for the NHS. Out of date technology does not help matters, and (albeit entirely anecdotally) I have heard it is not uncommon for hospitals to have more legacy applications than beds.
Nobody is saying it’s easy to upgrade from legacy operating systems which are often driving expensive pieces of old hardware and running applications that themselves have long-since seen any support from the developer. Replacing one part of the insecure triumvirate often requires the replacement of the others as well.
The cost to the organisation – and it’s as true for an NHS trust or GP surgery as it is for any business – goes way beyond the obvious and financial. There’s testing time to consider when talking about hardware or applications that might have a direct impact on patient care, and the time to train staff to use the new operating system, application or device. That’s assuming there even is a workable alternative to what is currently being used.
Head in the sand is not an option
Yet it’s not something that trusts are going to be able to ignore forever. Windows Server 2003 is long past its sell by date – Microsoft extended support ended on July 14 2015 – but it’s still being used in numerous trusts.
The NHS itself, with key systems such as the spine and summary care record requiring out-of-date browser clients, does not come away looking good either. I’ll throw GP practices into the mix as well, and say that all of healthcare needs to buck its ideas up and start walking the security walk rather than just talking a good fight.
Just sticking with Microsoft, Windows Vista extended support is ending on 11 April 2017 and Windows 7 (plus Windows Server 2008) follows on January 14 2020. Mainstream support for Windows 8 and Windows Server 2012 goes on January 9 2018, with extended support dead from January 2023. The full list of Microsoft products reaching end of support status this year is a very long one.
Why is this still a problem?
So why is the legacy threat still here? Why has it not been dealt with as the NHS reinvents itself as a digitally aware organisation that can harness the latest tech to cut costs and improve patient care? Whatever happened to the promised blitz on removing obsolete technology from the NHS that was touted by former parliamentary under-secretary for health George Freeman just last year, following the Caldicott report on data security and information governance? What the hell has gone wrong?
The answers are as obvious as they are depressing: an infrastructure built upon a lack of true forward thinking, improvements held back by a lack of funding, and perhaps most importantly a lack of any real sense of urgency from those who control the purse strings at the highest level.
It is broke, and you do need to fix it
Then there’s the understandable, though I would argue misplaced, adoption of an ‘if it ain’t broke’ mentality to legacy systems – despite them being far from ‘not broke’ under the surface. I have even heard the argument, and far more regularly than I’d like, that the old systems contain data vital to patient care. Data, the argument goes, that might be lost if the system were migrated to something new.
Never mind that the same data might be exfiltrated by God-knows-who exploiting vulnerabilities that only exist because somewhere in the chain of codes that runs the thing a patch has not been applied (nor is available). As I, and a bunch of lawyers, have been musing hereabouts lately, the EU General Data Protection Regulation (GDPR) could bring this cyber-chicken home to roost from next year.
Legacy systems that cannot be replaced, for whatever reason, must be hardened against attack. A risk audit should be a matter of course to identify which systems might fall into this category, and what the implications of neither replacing nor hardening might be.
What do I mean by hardening a system? Easy – applying ‘virtual patching’ to provide intrusion detection and prevention, for example, or running the application itself as a virtual machine within a more secure operating system (Windows Server 2003 can be run inside a virtual machine on Windows Server 2012). Additional security controls are recommended to reduce the threat surface as much as possible – change monitoring/file integrity monitoring software being one such example. Restricting access by closing unused ports, and only allowing permitted applications to run on a legacy system using application whitelisting is another.
Quite simply, doing nothing is not an option…
10 Comments
In the absence of the government, these enterprising characters have started https://www.nhsbuntu.org/
I suggested many years ago, that the Government should develop and support it’s own Linux based OS (desktop and server), free to be used by all public organisations. Directly employ a dedicated development and support team (potentially working in partnership with a commercial organisation) to manage it. By now the country would have saved billions, have got off the M$ gravy train and be able to avoid such issues. Suppliers would have to be on board to get any business from the public sector. Sadly it was pooh-poohed (because we needed Excel). I still think it is a good idea.
Legacy software using Active-X and similar is the problem.
DON’T LET IT HAPPEN AGAIN!
When purchasing new software, make sure there’s a clause in the contract that requires the supplier to update their software to work on the latest version of Windows [or Linux, Solaris, Unix or whatever] within a reasonable time [6-12 months after its release?].
An article on similar lines was published in BMJ which came out on Friday even as Wannacry was hitting. You could not have made it up. Well done Davey.
Thanks Joe, but truth be told anyone with a modicum of security sense could see this coming. Obviously I don’t include government ministers, their advisors or Trust executives in this description 🙂
…….and the oscar for digital health’s most prophetic article ever written goes to……………
bitcoin millionaire ….. Davey Winder……….
utterly brilliant Davey, we must meet and have a pint.
This article skillfully articulates the risks that hundreds of IT staff within the NHS have been raising for several years. Risks that turned into issues on the 12th May 2017.
Thank you. If only the people with control over purse strings (not that money is the root of all this specific evil) and power to change the *process* were listening…
Gulp! Do you have a crystal ball, Davey?
Yep, and have been rubbing it about this particular thing for years now… 🙂
Comments are closed.