Windows XP virus takes down Royal Melbourne Hospital


blog You would think, you would really think, that pretty much every organisation Australia-wide would have gotten the picture by now that Windows XP is an outdated platform and needs to be replaced. But sadly this is not the case. From Victoria comes the news that the Royal Melbourne Hospital has had its operations knocked offline by a Windows XP virus. The hospital issued the following statement yesterday:

“Melbourne Health is managing a computer virus which infected its computer network. While the virus has been disruptive to the organisation, due to the tireless work of staff we have been able to minimise this disruption to our patients and ensure patient safety has been maintained.

Computers running on most of our systems are now clear of the virus and IT staff are working to restore the remaining Windows XP computers as quickly as possible. As of 10am this morning, many programs affected by the virus are up and running including pathology and pharmacy.”

The Age has more on the situation, including the fact that staff at Royal Melbourne had been required to “send faxes” to its pathology department if they urgently needed results.

Seriously, people. It’s 2016, and we’re still talking about Windows XP viruses and faxes. What the hell is wrong with Australia’s IT industry? Why can’t we move past this stuff. It’s a vivid demonstration of the old prescient quote by sci-fi writer William Gibson: “The future is already here — it’s just not very evenly distributed.” Certainly the Royal Melbourne Hospital appears stuck in 1995.

Image credit: Who do you think?


  1. Some innovation needed? Update your systems guys.. !
    I saw the local Aust Hearing Services using xp too.

    • Quick get some funding from the Innovation bill to develop a new technology to fix this issue.

  2. There are a lot of places that are still using XP, and in most cases it’s because they don’t want to spend any money upgrading what still works. Like the old adage goes: “If it ain’t broke, don’t fix it”. Doesn’t exactly work that way for IT, but most people don’t seem to care…

    • There will some custom health applications which won’t run on anything else I’d wager.

        • Just old or attached to really expensive equipment so an upgrade requires the original vendor to be around, to have an upgrade to just the software etc.

  3. This is *not* about whether or not they should be running XP. The article attacks what it considers backwards thinking, completely missing the actual issue. There is *nothing* wrong with running XP if legacy applications require it, provided those systems are air-gapped and stringent containment policies are in place for connection of external devices and drives. Ideally due diligence would be performed to evaluate the possibility of running the legacy applications on a newer (currently supported) OS, either in compatibility mode or maybe running VMs (or Remote Application services from a central server, which is easier to manage).

    What this situation demonstrates is a careless, irresponsible, even negligent attitude to adequate IT practices at Royal Melbourne Hospital. In order to keep obvious costs down they have taken the bean counter approach, choosing not to spend money on new systems, nor even evaluating possible migration and upgrades, nor doing their due diligence investigating the risks of continuing to run an OS that has had no security patches released for two years. This is a classic example of senior management negligence and the inevitable result of treating IT as a cost to be minimised, rather than a core business component with an extremely high risk profile, where failure could result in severe damage if not loss of the business as a going concern.

    • Ummm. Oooooh.

      “What this situation demonstrates is a careless, irresponsible, even negligent attitude to adequate IT practices at Royal Melbourne Hospital. In order to keep obvious costs down they have taken the bean counter approach, choosing not to spend money on” effective malware interception software at all strategic nodes in their system.

      As good practice I would certainly have expected to see at the very least a high-end AV product rolled out on the server to intercept all incoming traffic. I’m not unduly concerned that XP was still in deployment, though where legacy software is concerned W2K would have been infinitely superior and a lot easier to maintain and work with. The only problem with keeping such ancient OSs on workstations is that current AVs won’t fit.

      The other thing I would pay attention to is making sure NOBODY uses the server terminal as a workstation.

      “This is a classic example of senior management negligence and the inevitable result of treating IT as a cost to be minimised[.]” Couldn’t agree more. Actually, there is a really good case for instant replacement of more than one very senior management position.

  4. Let’s not make assumptions here. A SOE upgrade is no small feat. Many large companies still run XP as their primary OS. Microsoft still supports XP if you pay for it. Most ATM systems are still running it. Who’s to say an upgrade wasn’t in the pipeline.

    Quite possibly their IT teams have flagged the need to upgrade. Maybe they haven’t been able to convince management of the value to upgrade. Maybe this will give them the push needed.

    To be fair. Nowadays no system is infallible. Take ransomware for instance. It doesn’t matter which system, if a pesky user clicks the link, runs the file, boom you have a problem.

    I think the writer here needs to get their facts right and stop making personal judgements, etc.

    • Backing up what Nick has said, the health industry is notorious for purchasing large pieces of hardware or medical systems from vendors which are designed to have long lifetimes that go well beyond the operating system lifecycle.

      The internal IT Staff generally are not allowed to touch these systems as they are vendor-managed and the cultural perception is “If you break it you are risking peoples lives”. That’s generally enough to scare most IT staff off.

      The end result is while the IT Department does what it can to update the SOE and servers, there is always going to be “legacy” systems that the only way to upgrade is an expensive replacement of medical equipment or systems.

    • Using a social engineering example is a terrible argument. It is like saying “why should I change the tyres on my car when they are worn down – a car could go through a red light at any time and crash into me anyway?”

      You can’t protect against every attack but you can at least do the minimum needed and (studies have proven that) usually doing just the basics can take you to 80% more secure than doing nothing.

      Also, Microsoft publish their lifecycle “fact sheet” showing when Operating Systems are going to stop being supported. I can tell you right now that Windows 10 will expire on October 14, 2025. If you are buying a system that uses Windows 10 then either be prepared to replace it before then or build an upgrade into the contract.

  5. I’ve seen intensive care units in Singapore that still use Windows NT 4.0. Provided they’re segmented and don’t have network connectivity (which didn’t happen in this case), many of these security issues are moot. Simpler systems with fewer moving parts are also more secure; NT 4 didn’t even have USB support.

    It’s not ideal, but also not black and white.

  6. I can’t really jump in on this but I will point out that many MFD’s still run either a full version or a cut down version of XP and have never been patched.

  7. As noted earlier, there are large Banks still heavily dependent on XP.
    Take that as you will.
    Apparently it’s not as easy as logging on to the Dell/HP/Apple website, who’da thunk it?

  8. also other than its not supported for the latest security stuff an XP box even with just office will work just fine now, there’s no productive benefit for people to upgrade so many simply don’t. Some industries with tight margins such things just aren’t an easy choice.

  9. Having worked in health IT some 25 years let me assure you that the IT staff, and often middle and senior management, know what is required but getting the boards to designate the required funding regularly fails. Increase the IT budgets to allow for essential maintenance is the only answer.

  10. This problem has nothing to do with legacy equipment running specialized hardware. Those system can and are often managed well from a security perspective. If your general purpose computing fleet is running and unsupported OS no matter the flavour eventually you are going to have a bad time.

    Heck my last job we had a laptop running Windows 95 and one running windows 3.1 for legacy control software for specialized hardware that wasn’t going to get replaced if we could avoid it. The one thing those computers didn’t get used for was reading email browsing the internet or even have an internet connection.

    Embedded systems are a different beast again because they don’t have all those extra bit that make it useful as a general purpose computer.

  11. Medical IT is a disaster waiting to happen. Yes big fish like hospitals are favorite game for some .

    The places that will be harder to secure will be small doctors surgeries and small medical firms all handing Personally Identifiable Data and some most people consider the most private of information.

    Don’t get me started on medicos bringing their personal iphones into hospitals.. for a info sec point of view and simple infection control.

    Yet nobody even talks about it.


Comments are closed.