Windows XP is hazardous for human health

Many of you likely read about the massive security breach that occurred last week. The attack first affected the United Kingdom’s National Health Service (“NHS”) before spreading to many other countries. Reports indicate that the attack continues to spread this week, although not at the same pace.

According to reports, the cyberattack infected numerous systems with a strain of ransomware. Ransomware is a type of malware that encrypts user data. Once encrypted, the malware will demand that users pay a ransom to get their data back. The fraudsters often demand payment in Bitcoin, a kind of digital currency. Last year, a Los Angeles hospital paid $17,000 to get its data back. While the hospital’s data was decrypted after paying the ransom, not every organization is as fortunate.

The malware that targeted NHS last week, known as WannaCrypt, demanded a similar ransom. This particular attack had serious consequences for human health. Patients arriving at NHS emergency rooms at 16 hospitals had to be diverted to other hospitals. In addition, numerous patients had surgeries delayed or cancelled as NHS staff struggled to cope with being locked out of patient data.

Fraudsters appear to have taken advantage of a security flaw in Microsoft Windows operating systems that Microsoft recently patched. Microsoft made a patch available for this issue back in March 2017. However, the security flaw exists not only in Microsoft’s current operating systems, but also in much older operating systems that Microsoft no longer supports, such as Windows XP.

This blog previously covered the security risks that old operating systems pose. Once a company like Microsoft stops supporting an operating system by issuing patches, any security flaw that exists will never be resolved. That means organizations that use operating systems that are no longer supported have a major security vulnerability. According to British media,  90% of NHS systems use Windows XP, an operating system that Microsoft discontinued support for over three years ago.

More recently, on April 11, 2017, Microsoft discontinued support for Windows Vista. That means any organization that still uses Vista now has serious security concerns. The WannaCrypt ransomware illustrates how widespread problems can become when organizations continue to rely on unsupported software. Now that Microsoft is no longer patching Vista, fraudsters can exploit security flaws for as long as organizations continue to use the operating system.

The WannaCrypt breach was so bad that Microsoft actually did issue updates to fix the security flaw for Windows XP and other, older operating systems that Microsoft no longer supports. Organizations should not, however, count on software companies to start regularly updating older systems. The scale of the WannaCrypt breach likely motivated Microsoft in this case. However, many other security flaws can still be exploited without the same widespread notoriety, but with similarly devastating consequences for a particular organization. That is why timely implementation of patches and updates, as this blog has previously explained, is a critical part of an organization’s cyber-risk management policy. That policy should also require the organization to change to newer versions of software when support stops for existing software. As WannaCrypt demonstrates, it may be hazardous to human health to use outdated, unsupported software. 

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed. 

- John Lande