Skip to content

Win XP, Flash, Java… healthcare makes easy pickings for hackers Study shows some medical folk are still running an OS not supported since 2014


The healthcare industry is a long way behind the financial sector in basic security practices, according to a study by two factor authentication firm Duo Security.

Duo found that healthcare devices were significantly more out of date and less secure than ones from finance, after comparing its healthcare customers’ devices to its finance customers’ equipment.

Healthcare has a four times greater density of Windows XP computers compared to finance. Windows XP has been unsupported by Microsoft since 2014 and unsupported OSes do not receive any software patches or updates, making them an easy target for attackers.

The risk is far from theoretical. For example, earlier this year Melbourne Health’s networks were infected with malware after an attack compromised the Royal Melbourne Hospital’s pathology department, which was running Windows XP.

The Qbot malware linked to the infection is capable of stealing passwords and logging keystrokes.

A significant minority (three per cent) of Duo’s installed base is stuck on Windows XP, which compares to one per cent of users across Duo’s entire client base. Across that customer base, finance has 50 per cent more instances of computers running on the Windows 10 operating system than healthcare.

Flash! Arrgh!

Finance has more instances of computers running on Windows 7 (74 per cent) than healthcare (66 per cent). Staying with older versions of Microsoft’s OS can have security downsides, even if the operating system is still supported.

With more than 500 known vulnerabilities affecting Windows 7, there are many ways for an attacker to easily exploit flaws on the outdated OS to gain unauthorised access to a healthcare organisation’s computing environment, Duo warns.

Twice as many healthcare endpoints have Flash installed and three times as many healthcare customers have Java installed on their devices, again putting them at greater risk of vulnerabilities and exploitation.

Only 12 per cent of non-healthcare users have Java installed. compared to 36 percent in healthcare. Many popular electronic healthcare record (EHRs) systems and identity access and management (IAM) software supporting e-prescriptions require the use of Java, factors which could account for the higher installed base. But this is bad news for security because Java browser plug-ins are a popular exploit route for hackers.

A separate study from IBM X-force earlier this week warned that crooks were increasingly targeting healthcare concerns rather than banks partly because systems were more weakly defended. Stolen healthcare info contains personal data that is readily marketed through underground forums because it offer the collateral to carry out identity fraud and other scams.

  1. Unfortunately having the latest kit sometimes isn’t an option in the medical and healthcare sector. When you’ve got a dozen critical applications deployed nationally, hospitals and GPs all need to be using a desktop with the exact same configuration – even down to the browser settings. Then all the applications need to be developed and thoroughly tested for 100% compatibility with a new browser/Java/OS before anyone thinks of upgrading.

    It would be interesting to see whether it’s even possible to upgrade to Windows 10 in this environment, given all the privacy-related baggage and Microsoft’s idea of providing the OS ‘as a service’.


    • Healthcare is a particular concern for the country. It’s being targeted by ransomware. With so much equipment out of date, and running on XP, it’s an easy target – and which hospital would refuse to pay the ransom?
      The same ideology is present with PLC’s. Those installing PLC’s prefer XP. It’s almost as if IT security is just a pantomine or “theatre”.

      Even worse than Windows 10, so many official departments are using Office 365. So all the data is held by foreign companies. How on earth did we get to this?


      • Depends on context. Duo doesn’t say whether XP is installed on office machines or on clinical/medical systems. With the latter, any configuration or software change is a huge risk.
        Even a relatively trivial change involves months of development, retesting of the whole system, patching then retesting before release. If someone further up the chain has a problem with the update, it’s back to square one. You’re also stuck if it’s a large third-party ‘solution’ that was released 15 years ago, and there’s nothing around to replace it.

        As for putting anything sensitive in the cloud, I cringe at the idea of putting anything sensitive on DropBox or Office 365 – I’ve turned down job offers because HR people insisted on putting scans of my birth certificate, financial paperwork, etc. on DropBox.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: