One of the most frustrating parts of being in the Information Security field is ignorant upper management. Upper management can often, although not always, impede proper security protocols by refusing to make basic upgrades. This issue can take many forms, but one area that has arisen numerous times is the present-day usage of outdated operating systems by major organizations. As a recent report shows, the UK's National Health Service is currently on the fast track to nowhere in terms of OS usage.
Citrix, which serves the NHS, released a report based on Freedom of Information Act requests (and regular audits) that most NHS Trusts still run Windows XP. Between the FOIA submissions and 42 (of 63) Trusts that complied with the audit, it was determined that an alarming 9 out 10 Trusts are running the obsolete OS. Even worse, as UK tech news website The Register reports, there isn't a plan to update the systems until “some time” this year.
There are so many issues that arise when using an operating system that is no longer updated. From a security angle, the greatest is rather obvious. Any vulnerabilities that exist in Windows XP, and believe me there are many, can be easily exploited by hackers. With something as massive and vital as the NHS, we are talking about opening some of the most sensitive health data for UK citizens being exposed to black hats with active connections on the Dark Web.
Why on Earth is the NHS dragging its feet on updates to such a vital component of its network? It is not known with certainty, but some security experts have their own ideas. In an interview with InfoSecurity Magazine, Jonathan Sander of Lieberman Software said "many healthcare organizations have single purpose devices that don't require network connection for their main purpose. Often they may decide that such devices don't need the attention of updates and patches." Sander also continued in a rebuke to this type of thinking by saying that "with network connection, they become targets for malware, worms, and everything else a bad guy might sneak in."
In short, the NHS is in desperate need of an OS overhaul.
Photo credit: Flickr / azuresh