NHS Lothian is still operating outdated computer systems despite last year’s crippling cyber attacks which exploited a flaw in the programme – making them Scotland’s most vulnerable health board to further attack.
Almost 3,000 out of 19,251 (15%) computers across NHS Lothian continue to run Windows XP.
A total of 11 out of 14 authorities confirmed through a Freedom of Information request that they still operate Windows XP, which was targeted by criminals using a type of malicious ransomware software known as WannaCry. Microsoft ended support for Windows XP in April 2014 meaning the operating system would receive no more security updates and the last major one was carried out as far back as 2008.
Last May, Microsoft released a one-off patch for XP to prevent users sharing files that were being used to spread the ransomware virus across world including the UK-wide NHS infrastructure.
Shadow health secretary Miles Briggs said in the current political climate and with the ongoing disputes with Russia it is “completely irresponsible” to be running out of date computer programmes.
He added: “The cyber attacks last May affected 11 of the 14 health boards in Scotland and NHS Lothian was fortunate not to have been hit. NHS Lothian has by far the most computers running on Windows XP, that no longer runs security updates, leaving NHS Lothian open to cyber attack.
“SNP Ministers have failed to ensure that these urgent updates are carried out and have left NHS Lothian at risk.”
Half of the NHS boards in Scotland failed to provide a date for which they would phase out the Windows XP system and Police Scotland claimed an exemption to the the FoI on the basis that ‘disclosure would provide those intent on disrupting police activities with enough information to plan and execute a targeted attack’.
Hackers often demand the victim to pay ransom money to access their files or remove harmful programmes.
The aggressive attacks dupe users into clicking on a fake link – whether it’s in an email or on a fake website, causing an infection to corrupt the computer.
A Scottish Government spokesperson said: “Any suggestion that NHS Lothian has been left “at risk” are simply not true.
“Scotland’s public sector organisations take cyber security very seriously. Our action plan on cyber resilience, produced in partnership with the National Cyber Resilience Leaders’ Board, sets out common baseline measures that all public sector organisations – including NHS boards are currently working towards.”