The recent global cyber attack that hit 45 Health Trusts was a timely reminder of the importance of information security. It demonstrated that security is not just a technical matter alone, but is something that affects our daily lives in very real ways. Hospital appointments and operations had to be cancelled, and hard-pressed medical staff had to fall back on paper-based systems to continue working while their computer systems were frozen by a ransomware virus.
The attack also illustrated how hackers mostly look for easy targets. They tend to go for the systems that are the least well defended – the “low hanging fruit.” In this case, the vulnerable NHS trusts certainly made it easy for the hackers by running Windows XP – an operating system that Microsoft ceased to support in April 2014.
Now, running an unsupported operating system is bordering on professional negligence, and many of the trust have come under fire for failing to take this most basic of precautions to protect themselves.
While the criticism is justified up to a point, some IT professionals in the NHS have pointed out that the situation is not quite that simple. As one of them complained on social media: “Isn’t it time we pushed back on suppliers to the NHS who forbid you applying the latest patches in case it breaks their software?”
Some pathology devices, for instance, run on Windows but the suppliers will not allow the their users to keep their operating systems properly patched because they might affect the working of the device itself.
This raises a broader question for all organisations running equipment and software from a variety of suppliers. If you make changes or apply updates to one piece of software, how will it affect other products?
Some products insist on being tightly integrated with other parts of the system, which may entail changing templates and interfaces to achieve that integration. But when patches and updates need to be applied in one product, then it can have unexpected knock-on effects in other parts of the system. It’s like pulling a loose piece of wool on a cardigan, only to find the whole garment unravelling.
And so this partly explains how those Health trusts ended up with so many unpatched systems. The IT professionals knew it made them a sitting duck for hackers, but they were powerless to change the situation.
So why is SecurEnvoy telling you this? As the inventor of Tokenless ® multi-factor authentication, SecurEnvoy has always taken the approach that this vital security feature should be installed with minimum effort and with no modification to the systems it protects. Unlike some of it s rivals, SecurEnvoy requires no tweaking of templates or interfaces to start doing its work.
And so when changes are made or patches applied anywhere on an organisation’s systems, the SecurEnvoy solution will continue to perform unaffected by the changes.