The answer is as obvious as it gets => To NEED LESS WORKERS, to do the same amount of work in less time and/or to be cheaper.

See? Internet of things is REAL. That is what it`s about. Connecting everything in your world (be it a chair, your smartphone or your fridge with the internet).

Making all attackable from outside.

But normal people don`t know this. They think it´s all fine and easy.

They just care about for the lesser amount of work needed to do what they want to do.

Are you meaning that each time someone in Redmond changes the rules of the game you really re-write all the drivers and the pieces of software that interact directly with the hardware, and then re-check everything all over again until you’re completely sure? You must be a team of very wealthy heroes!

Many opinions and few facts in the comments above.
I’m in the process of ensuring GLP compliance for a UK based internationally respected Medical Research company to MRHA and OECD guidelines, as recently updated. Timely updating (i.e. inside 30 days from publishing) of OS and application security patches & service packs IS MANDATORY for any computer based system connected to the network, as is change management testing and assurance, i.e. keep it secure, test all software changes for errors / crashes / bugs etc. in a limited subset of systems and when sure, update all systems.
Perhaps medical regulation in the US is less rigid, but I doubt it. Perhaps they are less worried about compliance, but I somehow also doubt that.
The real issue was the delay from 1995 (yes, really!) until last April for a new guidance document to be published by the OECD. Sit back and consider if ANYTHING in the IT field is still as it was in 1995.

Nevertheless there’s nothing shameful or sinful (as many here seem to imply) in sticking with an ‘old’ software rather than replacing it with a newer – not necessarily better nor fully compatible – version. On the contrary, that’s very often the only way to keep a satisfactory piece of equipment (or of software) up and running rather than keeping up with the whims of fashion and junking it.
Once an OS is put in charge of a complex critical equipment it becomes an integral part of it, and updating to the next commercial version of the OS would be deadly even in the most optimistic scenario.
There are incredibly complicated and outrageously expensive scientific monstrosities whose computers run on XP, on 98 or even on good old DOS – reliable, predictable, no frills. And as they aren’t expected to be used to play solitaire, or to chat, or to watch porn on the web, they all talk and listen only on a strictly local intranet.

Ha Ha These machine become part of a network because people (at the top or in the hierarchy) are often lazy and computer illiterates and think that efficiency is when all commands are in one hand, thus networking ensures that and reduces maintenance costs and payroll since all is located at one level. The real diseases or malware in our society nowadays are bonuses for the top and high dividend for the shareholders. No Emsisoft, unfortunately” can change that. This being said, I love Emsisoft.

Scientific and medical equipment are exempt from keeping up with the fashion trends: they are definitely not meant to play solitaire, to chat or to watch porn on the internet. For a damn complex (and shockingly expensive) space project we resolved to exhume the good old DOS (reliable, predictable, no frills), though slightly retouched to fit our special needs. And no one of us feels guilty or ashamed of it.

That said, having such an equipment connected to a public network would be utterly irresponsible: along with professional hackers and malware-spreaders there are a lot of quite smart kids and teenagers out there, each one eager to ascertain whether he or she is really good enough to draw a satellite out of orbit, or to stop a heart, or to cause a terribly exciting general black-out.
Curiously enough whenever this happens the traditional scapegoats are the software people and the faceless attacker, seldom (if ever) the budget-wary management that decided to save the few K$ required to set up a dedicated intranet not accessible from outside.
It’s a funny world…

Well, if the ones who initially distributed the equipment never updated the software or hardware for use with Windows 7 or above (or a Linux distro), even if offline only, those computers are a threat to the hospital’s or clinic’s network. Many imaging facilities in particular are using XP powered hardware, so the risk is very high, even with a high powered protection with Emsisoft Anti Malware or Internet Security.

What many doesn’t realize is that there’s been over 200 patches/updates post EOL of XP, and many of these has been patched for Vista & above. For that matter, not even Vista gets fully updated (using IE9 for an example).

Until medical providers fixes the underlying issues, and has more control over employee access to Internet (to include restrictions on plugging in USB drives & other devices), the problem is not going away any time soon. And in the medical field, it takes years to change.

Maybe they should had been thinking of the future when purchasing these expensive devices w/out an upgrade path & held off spending, after all, Windows was predictable until W10, providing a new OS every three years (a bit longer between XP & Vista), and it may be that period that’s the issue. The medical clinics cannot gain a ROI if trading for newer equipment, so they run older & pay the consequences as these happens.

The other looming issue is spending, there’s limited cash in the budget to upgrade equipment, as well as the OS’s that powers these, so in essence they’re stuck. Insurers are reimbursing less, and patients pays less, plus many doesn’t meet their end of the deal, paying their fair share.

It’s very complicated, yet in the meantime hospital & clinics has to figure out how to better secure their Internet. When running EOL OS’s, it doesn’t take much for a botnet to be created, perhaps by a disgruntled employee at a high level, knowing the end of their job is near & inflicting damage however they can. All it would take is a USB drive that has an app like EEK, used on many computers & infections caught. Those infections could somehow be injected throughout the place from that drive’s quarantine folder loaded with nasty Malware by one with skills, or simply dump it in a place where it’ll spread on it’s own, like a cancer.

It’s up to the medical care industry to police themselves, trade current equipment, even if some negative equity has to be rolled into the new loan, and stay in tune with the times. Of course this will take time, so today is as good as any to begin looking for solutions to secure the facilities.

Cat