We were told by many experts that such things were not likely to happen “over here.” We were told that the NHS was a unique case, as it had become a political football and the government refused to allocate desired funds for the upgrade to a current operating system. The people in charge knew the risks and were prevented from doing anything about them. That can’t happen here, or so we’ve been told.
We’re as vulnerable, just luckier
This past weekend was B-ing negative, so I decided to give blood (B negative! My blood type! Get it? Thanks, I’ll be here all week.) I went to the American Red Cross donation center in my area. [I have many beefs with the ARC, as some of you know, but their management of much of the country’s blood donation infrastructure has always seemed to be very effective.] As part of the donation process, you answer a computerized questionnaire used to screen out those who might be a danger to the blood supply (as well as, sadly, many who present no particular risk who are excluded because of uniquely American paranoia). I was checked in, had a quick hemoglobin test and then was left alone in the little cubicle to answer the questions. As this is protected information and the person checking you in doesn’t need most of it, you are left alone. The laptop computer was not new. An HP business machine that appeared to be 4-5 years old. It had a “Windows 7” sticker on it.
But when I finished the questions and hit the “done” button, I was taken to the main log-in screen and could see the computer was actually running Windows XP.
Let me be clear about what I’m saying: The American Red Cross Blood Services is running computers with an obsolete and unsupported operating system, one that has been known for some time to be compromised in a number of ways, and is using them to collect HIPAA-protected personal health and other information!
OK, please break this down…
What this means is that the ARC took a computer that had been delivered and licensed with Windows 7, then “downgraded” the operating system to one that was two major revisions older. The operating system it was “downgraded” to is no longer supported, is known to be vulnerable to certain types of attacks and was implicated in some major recent breaches. That computer probably doesn’t store a lot of data, as the application seems to be just a web-based front-end, but it is being used for collecting data that is covered by HIPAA rules. If I were auditing their HIPAA compliance, it would be a major “WTF?” moment.
There are lot of reasons for “downgrading” operating systems and I’ve done it myself at times. Large organizations don’t want to roll out new systems willy-nilly, so sometimes it makes sense to keep everybody on a slightly older platform for a time, then upgrading everybody at once, or on a defined schedule. In addition, it is very desirable to test every aspect of the new operating system in the specific environment to ensure that all software and other components will still work. Sometimes changes must be made to some applications and procedures so that everything can still work.
[Microsoft and others try to make the latest operating system compatible with previous ones, but sometimes features are eliminated, support for older architectures go away, etc. If my printer at home has issues because the driver for the new Microsoft operating system doesn’t work right, it is usually no more than an annoyance, or sometimes a problem that is quickly resolved. If an entire business can suddenly no longer print because somebody decided to upgrade the operating system on the day of the new and untested versions’ release, and if it’s someplace like a law firm who still use lots of paper, it can be disastrous. This can be particularly problematic with old custom-built software that sometimes has to be replaced outright because it no longer works.]
But the key here is what I emphasized above. It makes sense to defer the upgrade for a time, and then only to keep people on a slightly older platform, that is still fully supported for the relatively brief duration. Running an operating system that was introduced 16 years ago, and that has been replaced with newer versions four times since, is not sensible and is not a reasonable transition plan, it is just plain careless.
But we’re a nonprofit! We don’t have money for that!
The people who’ve watched the ARC’s efforts in places like New York after Superstorm Sandy and in Haiti after their devastating earthquake might question why you don’t have money for basic IT management. But hey, I’m sure the people who got those six houses you built were happy! You seem to be able to waste it everyplace else. And yes I realize that the red cross blood program is apparently the ugly self-funding stepchild of an organization that is mostly concerned with doing far sexier things than providing a service that saves hundreds or thousands of lives every day and prevents every surgical hospital in the country from coming to a screeching halt.
But the bottom line is this: IT is a cost for every organization. If you don’t have in your budget the funds to keep reasonably up-to-date, then you don’t have a viable organization. In the software world we often say that “if an intern can break production on their first day, you as a company have failed.” Whether or not they actually do break production on their first day is irrelevant. If you’re set up so it’s possible, than you’ve failed.
To adapt that statement to this situation, I’d have to say that “if a Russian or North Korean hacker can break your system because you haven’t bothered to upgrade from16 year-old software that hasn’t been supported for two years, then you as an organization have failed.” That you didn’t get hit this time doesn’t matter. You’ve failed. Microsoft has agreed to offer some higher levels of support even for XP users to address this latest problem, but you’ve depending on Microsoft to continue monitoring every possible problem on a piece of software that hasn’t been sold more than a decade and few people use anymore. Honda won’t guarantee parts for my car past 10 years either. Maybe you don’t want to upgrade on every release? I don’t either. How about budgeting for every other new operating system? Maybe once every 8 years? Every 10? Even that’s within most software companies’ support policies. It’s a bare minimum.
What would I do?
I’m slowly moving out of the IT support business, so I’m doing less and less of this stuff. Still, I have some older established clients and some of them are still using Windows 7 against my recommendation. (We mostly skipped the disaster that was Windows 8.) Windows 7 will have security-related updates available through January 2020, but I’ve already told my clients that January of next year is it. Beyond that point, I will no longer provide services for any system that has not been upgraded. I don’t consider this harsh or unreasonable. Mainstream (non-security) support for Windows 7 ended in January 2015 and I don’t care to be the guy who chooses to stick with clients who can’t get around to it until the last shreds of support are left. I’ll let somebody else, and somebody else’s clients, hang on for the final two years of “security related updates only.”
As to my blood
I’m undecided. The online questionnaire and other things done on those computers seem to be little more than web-based front-ends for something else. Which means that there most likely isn’t much data stored on those systems outside the browser cache. Still, the fact that they’re set up that way is telling. If the simplest front-end system hasn’t been upgraded to a current operating system that was made available free, what does that say about the back-end? Is it more secure? I hope so, but hope is not a viable strategy. My experience when I see this kind of “bad housekeeping” is that it tends to be pervasive.
In my location, I have the option of donating blood at a couple of non-ARC facilities, one of which is just as convenient. I may have to consider that.
The scary part is that the ARC is most certainly not alone. Anybody know anybody else who is still using Windows XP for anything? We really need to start shaming such organizations, especially those that serve an important public function.
Additional Security Thoughts
As an aside, fellow Columbian Perry Metzger (who is far more famous than I am, but we did take a couple of classes together) wrote the following on Facebook. With the caveat that some businesses will not upgrade everything immediately for operational reasons, I agree:
People always ask in the wake of yet another internet attack “what should I do to protect myself.”
The advice is always the same. Do what computer professionals do. Don’t do what you _imagine_ computer professionals do, because you’re probably wrong.
Always run the latest version of the OS and software.
When security updates appear for your operating system or software, apply them as soon as possible, meaning that day. Configure your system to automatically apply updates if possible.
Back up your computer frequently. Since normal humans cannot remember to do that, get software and/or a service to do it for you.
Don’t use the same password with two different services, period. Since you cannot remember hundreds of different passwords, use a password safe, and remember only the password for _it_.
If a web site offers two factor authentication (that is, you can set it up so it both requires a password and a code your phone generates), turn that on.
Every professional security person does those things.