Last Friday’s cyber attack affected computers in the NHS, other government departments and businesses and organisations across over 100 countries. The organisations breached were (are) still using Windows XP, Windows 7 or Small Business Server 2003. All these products are obsolete. Microsoft do not officially support them. Windows XP support ended over three years ago! So why are these organisations still running these old, obsolete, and cyber vulnerable operating systems? Well, you could pretty much say it is really poor management.
At Board level, to accept these known risks, which are not minor, is plain stupid. Then at IT management level, either knowing your own internal team are supporting obsolete and risky systems is, at the least, unprofessional. At suppler level, the suppliers are also wrong for not strongly encouraging their customer to migrate to new versions of Operating System. Yes, their contracts [and income] is at stake, but personal data and patient service is at stake. At procurement level, the commercial teams buying IT services should know what they are buying.
How many hospital operations and appointments were cancelled? Hundreds. How many people died due these delays?
The computers themselves are not safety critical, but access to the data within them is operationally critical. The NHS has been a source of many large scale IT disasters, and the recent cyber attack is just another example. Perhaps the large prime contractors are no longer fit for purpose when dealing with such large organisations. Well actually, that’s incorrect. The NHS is federated into hundreds of trusts. Funding is managed by the Clinical Commissioning Groups (CCGs).
This year the NHS budget is over 120 billion pounds. Surely upgrading the IT, trust by trust, PC by PC is part of this spending programme?
If you run a business, government team or charity, my recommendation is to seek and destroy your obsolete systems. Otherwise they will cause you pain and cost you dearly.