Yesterday, I went to give blood. With the holiday season approaching, it seemed like a good thing to do, plus for entirely selfish reasons, I wanted the sponsoring organization to stop ringing my phone morning, noon, and night. When I arrived, and went into the makeshift booth for the pre-screening interview, I was surprised to observe the laptop on the small table displaying the Windows XP screen saver.
Why is this organization still running Windows XP in a medical setting? I just had to ask and am still not satisfied with the answer. The explanation given was that they were “running on a closed network” and it was not an issue. That may be true to an extent, although the response falls more into the “security by obscurity” mindset which is essentially no security.
There are several obvious issues:
First, the laptop was networked and since the blood drive was at a local church, networking was all wireless. All the devices were apparently communicating with each other over wireless, and I doubt the security of the wireless network was such that it could not be breached, particularity in such a mobile and ad hoc setting.
Secondly, the laptops and devices absolutely either contained, or had access to PII, (Personally Identifiable Information). They knew my name, my donation history, other names I have used (they had a hard time getting my donor card spelled correctly), my blood type, my date of birth, gender, email, home address, and phone number. That is a significant amount of PII on me and every other person coming through that blood drive on that day.
Lastly, taking the representations made that the network was a closed network as factual, at some point these systems would need to connect to another network to update the data about the donations made that day. The systems would no longer be on a closed network and would be vulnerable to other attack vectors which may be lurking back on the home network.
Cost is frequently the issue raised when organizations are challenged about not upgrading and retiring Windows XP. That said, is the cost of replacement greater than the cost of brand damage? Worse, could there potentially be a critical blood supply shortage if this organization were ever breached and donors refrained from giving blood because of the breach? This is a much more serious matter than a big box store being breached because lives could be at stake.
It is hard to imagine any justification for any organization to continue running Windows XP. But still running Windows XP in a medical setting? This concerns me.