AMSTERDAM - Most Dutch hospitals have medical equipment that relies on operating systems that are extremely outdated, according to research by BNR published on Wednesday. This increased susceptibility to hackers is a significant concern for security experts. 

BNR surveyed 20 hospitals in the Netherlands regarding their use of medical devices with outdated operating systems no longer supported by manufacturers. Out of the eleven hospitals that responded, ten confirmed having such "legacy systems." 

ErasmusMC in Rotterdam uses patient monitors, ventilation, and ultrasound equipment with outdated systems. Utrecht Diakonessehuis still operates some devices on Windows XP. RadboudUMC in Nijmegen also uses outdated operating systems but did not disclose further details for security reasons. 

Experts are raising alarms about the safety risks associated with hospitals using outdated operating systems. "If a hacker accesses a hospital’s internal network, they can potentially take control of such devices at the push of a button," said security consultant Sijmen Ruwhof. 

These outdated systems also make hospitals vulnerable to ransomware attacks, potentially rendering critical medical equipment like ventilators, heart monitors, or infusion pumps inoperable. "And then the consequences are incalculable," said Ralph Moonen, technical director at Secura. 

BNR highlighted an incident in 2020 where a woman died following a ransomware attack on the university hospital in Düsseldorf. The heart patient was en route to the emergency room when the attack caused the hospital to shut down. Redirected to a more distant hospital, she passed away during the journey. 

Moonen sees no reason why such an incident could not occur in the Netherlands. "We have to wait until people die," he said. 

One of the main issues is that medical machines often have a much longer lifespan than the software controlling them. Z-CERT, a healthcare cybersecurity center, noted that hospitals usually opt for extra security measures rather than replacing old equipment. 

Most hospitals believe these measures can mitigate risks, but security experts question their effectiveness in fully preventing hacker intrusions. They argue for stricter security protocols in hospitals. "If the cardiac monitoring is out, that is different from an accounting firm that can do nothing for a week,” Moonen remarked.