Royal Melbourne Hospital still has not fixed its Windows XP virus problem


blog Regular readers will recall that in late January, Royal Melbourne Hospital was forced to admit that many of its systems had been taken down by a Windows XP virus. I personally felt as though I had been thrust into a time warp in reporting this story, taken back to the years about a decade ago where it was actually a recurring trend that computer viruses would take down major corporations for weeks at a time.

Well, as it turns out, two weeks on, the hospital still has not quite got control of the IT infection. According to ZDNet (we recommend you click here for the full article), the virus continues to “mutate” and is still causing havoc:

“We had one day in the last week where the virus mutated six times,” Melbourne Health chair Robert Doyle told 3AW on Tuesday. “We are down to quite small outbreaks now but we are trying to stop it talking across computers.”

A lot of people — including myself — have commented on sites like Delimiter arguing that this kind of issue is related to Windows XP itself. Surely, many people feel, Royal Melbourne Hospital should have upgraded its Windows XP installations by now, to something more secure and modern.

However, upon reflection, what this story actually shows us is that IT security is not so much a matter of using a specific platform, such as a more modern version of Windows, or a specific security software suite. It is an overall philosophy, a process that needs to be continually in motion to deal with evolving threats.

After all, the Qbot virus doesn’t just attack Windows XP — it also attacks other versions of Windows, such as Windows 7. And the version that Royal Melbourne Hospital is grappling with is also a new version of the virus.

The reality is that malware will continue to evolve, and that the IT industry will see countless new variants over many years. I suspect that the problems we’re seeing at the Royal Melbourne Hospital will not be the only such issues we see over the next few years, even in organisations with much more modern IT platforms underpinning their operations. Security software has gotten smarter, but so has malware — and it will continue to evolve and grow more sophisticated.

The Royal Melbourne Hospital incident should probably serve as a wake-up call to the rest of us: Re-examine and update your IT security strategy now: Before it’s too late.


  1. While anti-virus may not end up catching new variants (if any anti-virus was installed at all that is), appropriate application white-listing controls may end up stopping processes from running and the virus from replicating. Reduction of administrative privileges should also help in reducing the installation and replication.

    I cant emphasize (if where possible, and where appropriate), the ASD Top 4 be looked at being implemented where there is a business need to.

    In the age of the internet, ignorance is no longer an excuse – particularly given the amount of news coverage cyber-incidents get these days.

  2. I think they need to do a major purge of the virus, by completely reinstalling Windows on all the affected PCs. It may mean some lengthy downtime for some sections of the hospital, but it is probably the best way to actually get on top of the virus before it runs out of control again.

    The worst “virus” I’ve seen recently is that damned Cryptolocker malware, which has a new, and rather insidious version. The older version(s) would encrypt files across a network, but only documents, and so on, but this new version actually encrypts Windows files too…

    • There are new variants of the ‘personal files only’ version circulating too. We’ve had a few customers come in about it and after days of research in a busy shop, our only answer is to pay the fee and hope for the best or reinstall and start from scratch.

  3. Look, I’m sure I’m not the only one who’s made a complete botch-up of things once or twice. After all, there’s a proverb “Fail your way to the top.”

    But “failing your way to the top” requires not making the same mistake twice in a row. I commented in the original report : ” “This is a classic example of senior management negligence and the inevitable result of treating IT as a cost to be minimised[.]” Couldn’t agree more. Actually, there is a really good case for instant replacement of more than one very senior management position. ”

    I do the occasional work in IT-ish security, nothing deep and techie, but overall attitudes and approaches. Royal Melbourne is Not Alone. It’s One Among Hundreds. And I can tell youse that the Hundreds will grow to be Thousands, and all the old faces will still be there next Century. And we’ll all still be agonising and asking “Why?????????”

    There is an approach to security which actually works. After all the absolutely necessary has been put in place–ALL OF IT–you lay it out to the CIO: “This gets infected, we get penetrated, YOU get FIRED instantly.” It is the responsibility of the CIO to explain to the bean-counters why costly upgrades and other improvements need to be purchased, why some nifty-looking (not to mention “crufty”) time-saver Must Not Ever Be Implemented, and so on.

  4. The real story here is that a hospital in a developed country is still using computers that are over a decade old — while most businesses replace their computers every 3 years, it’s staggering that a hospital can’t afford to replace cheap technology like this.

    • It’s easy. You need to implement VMs to run the old OS, which means you have to train the “operators”, then maintenance costs explode with the extra software AND the old object technology won’t fit the new IT hardware… You know, where’s the Parallel Port???????? And the PS/2 Ports????????????????????

      • I don’t imagine it is a simple task, but the IT management need to factor how many staff are actually using the technology (eg. most medical staff only use a single piece of software each day, so you should not train them all for the latest version of Microsoft Access or Asset Management tools if they’re never likely to use them); Secondly, much of the software needs ongoing training anyway as new versions are released, for example Aconex which RMH uses provides all users with ongoing training included as part of the fee for using their system; Also, much of the applications they use are available in web-based and/or tablet-based versions, which reduces the need for VMs and simplifies the installation or management of those apps; More importantly, web-based apps enable the use of Linux which would mimimise risk of malware infections and reduce operating costs, (for those workstations that are using only web-based software).
        The hardware issue is likely to be a headache, with millions of dollars of ancient peripheral devices like imaging units around the hospital, however unless you are using thin-client style workstations, you can always add a plugin card for those artefacts or use USB adaptors (one of the reasons for having an IT dept is to sort those challenges out).

Comments are closed.