In an increasingly technology-dependent world, software systems are constantly in development and older versions are often left discontinued. End-users should be aware of the risks of using discontinued software and take the necessary steps to understand security and privacy risks to avoid exposure to cyber crime and other privacy vulnerabilities.
In this week’s post, ARITHMOS discusses how service providers should always keep systems up to date with the latest security patches. Discontinued software versions should be considered a high security risk for critical IT components and should be mitigated by upgrading to supported versions or migrating to newer solutions in other platforms.
Cyber security attacks are often caused by unpatched software systems, and this could be the sign of a discontinued software system at risk. Normally during the life cycle of a product, manufacturers produce patches to ensure security. Product maintenance usually ends when the life cycle of the product ends and the manufacturer discontinues all support. This can cause huge risks to system end users and service providers.
End Users can’t check the integrity and validity of a software system because the manufacturer will not keep security up to date after discontinuation. This means that end users may be using infected software systems. More importantly and even riskier, end users could be in danger of non-compliance with industry standards.
Loss of product support by the discontinued software manufacturer could potentially lead to:
- Discontinued systems will not benefit from security updates or notices
- New vulnerabilities will no longer be collected, reported and analyzed
- High risk of service unavailability
- High risk of cyber attack on data integrity, confidentiality
- Potential violation of data security laws
In the case of discontinued software, it is the responsibility of the service provider to keep systems up to date with the latest security patches and to migrate to new versions/solutions/platforms. The End User should be aware and understand any security risks involved with discontinued software.
ARITHMOS Case Study – Discontinuation of Oracle Clinical Version 4.5.3 and Microsoft Windows 2000
ARITHMOS provided Oracle Clinical RDC Version 4.5.3 for remote data collection for clinical studies. The application and the database was installed on Microsoft Windows 2000 Server. Oracle ended support for this Oracle Clinical version in August 2013 and Microsoft ended support for Windows 2000 server in 2010. Therefore, as the service provider, ARITHMOS noted the risks to the end user of continuing to use these systems.
As the service provider, ARITHMOS also had to be sure to comply with international regulations and local laws such as the European Commission regulations on data privacy and confidentiality which requires service providers to follow national provisions on data privacy. For example, in Italy there is a law which outlines minimum security measures for personal data protection. In addition, Italian law states that systems/applications must be updated at least every 6 months to prevent intrusion attacks that harm security to personal data.
In the case of Oracle and Microsoft, ARITHMOS upgraded Oracle Clinical to version 5.0 which has manufacturer support through 2018. Consequently, ARITHMOS also installed Oracle Clinical 5.0 on Windows 2008 server which is maintained by the manufacturer through 2020. Therefore, ARITHMOS is guaranteeing security and confidentiality to its clinical trial customers through 2018 when it will evaluate and upgrade its systems.