While legacy systems offer a consolidated environment, their obsolete operating systems pose significant cybersecurity risks due to the lack of updates. This leaves systems vulnerable to new and old threats and cyberattacks. Hackers often focus on exploiting obsolete systems, knowing they are frequently used in critical environments (e.g., hospitals or industrial control systems) where replacements are complex. Automated attack tools can quickly identify and target unpatched systems.
Moreover, obsolete operating systems force users to rely on outdated applications, which are also vulnerable.
Other than internal vulnerabilities, outdated systems reduce the effectiveness of external defenses due to compatibility issues with modern firmware and hardware. Many antivirus, firewall, and other security tools no longer support obsolete operating systems, leaving systems unprotected.
A non-updated system can lead to non-compliance with different regulatory standards. Organizations could face fines, penalties, legal action, and reputational damage without proper regulatory compliance.
An outdated system is against the main principles of GDPR (General Data Protection Regulation), which requires the implementation of appropriate technical measures to protect personal data and the integration of data protection security measures “by Design and Default.”
Similar requirements, with a broader data scope, come from the NIS2 Directive (Network and Information Security). Organizations are required to implement appropriate measures to manage cybersecurity risks and prevent incidents, assuring Business Continuity with a robust Disaster Recovery plan.
On the side of international standards, ISO 27001 requires timely identification and remediation of vulnerabilities, secure systems and software use, and assurance of information integrity and availability. As can be easily understood, an obsolete system can’t fulfil all these requirements, making compliance with this standard challenging.
Focusing on the pharmaceutical sector, the HIPAA (Health Insurance Portability and Accountability Act) has requirements similar to the above regulations and standards. An obsolete operating system can also significantly compromise data integrity requirements, which are necessary for all organizations but essential in this sector.
Data integrity requires robust data backup and recovery mechanisms to ensure that data can be restored in case of failure, corruption, or loss: an outdated system may lack compatibility with modern backup technologies or fail to provide automated, regular backups.
Outdated systems also lack up-to-date security features like audit trails, multi-factor authentication, role-based access control, and secure password storage, making them vulnerable to unauthorized access.
In pharma, computerized systems must undergo rigorous validation to ensure they function as intended and maintain the required performance and security standards. Systems must also comply with regulatory standards that ensure data integrity, security, and accountability, such as FDA 21 CFR Part 11 (for electronic records and signatures) or GxP (Good x Practice) regulations. Thorough documentation of all validation processes, including system design, testing, and maintenance, must be available, as must the ability to trace any changes made to the system.
An obsolete system, which often lacks the necessary tools and features for validation, puts all the above requirements at risk. It may not support newer security protocols or be unable to run the latest validation software, resulting in compromised security and system performance.
One more challenge for outdated systems is the reduced availability of spare parts (and, sometimes, of their suppliers); this makes outdated systems highly susceptible to breakdowns, performance issues, and incompatibility with other hardware, which can impact the continuity of business operations. Successful attacks and data breaches can also lead to system downtime and prolonged recovery times, disrupting critical operations and reducing productivity.
In the previous paragraphs, we have understood how updating obsolete systems is desirable and often required. However, migrating to a modern, vendor-supported operating system demands a structured approach. This is particularly critical when dealing with systems that support essential processes, where minimizing the risk of malfunctions and operational disruptions is a must. In the following, we will focus on the migration from Windows 10 to Windows 11, but the approach can be easily extended to any Operating System update.
Migrating from Windows 10 to Windows 11 requires careful planning and execution to ensure a smooth transition while minimizing downtime, data loss, and compatibility issues.
The first step is assessing the current state: all the impacted devices must be identified, and their current configuration and compliance with Windows 11’s minimum hardware requirements must be evaluated. In this phase, a substitution strategy must also be defined for all the non-compatible hardware.
Once the hardware has been identified and verified, all the mission-critical applications running on the passed devices must be identified, and their compatibility with Windows 11 checked. A first-level check can be done automatically, but for critical applications, an extensive system test is recommended, with risk-based revalidation to be considered as well.
Following the assessment, a planning phase starts. The plan will define the priority of intervention and include milestones for the initial backup of all critical data, pilot testing, full deployment, and post-migration support.
A robust plan will include a rollback strategy in case significant issues arise during the migration, ensuring that users can revert to the previous operating system if necessary. This can be obtained with system restore points, backups, or image-based recovery tools to facilitate easy rollback.
Pilot testing is crucial for identifying potential issues and minimising their impact on the whole organisation and/or critical operations. This phase starts with identifying samples of users/applications that can represent the entire company landscape.
All critical issues identified during the pilot phase will then be addressed.
The next phase includes defining a standardised migration process to guarantee the migration of user data, profiles, and functionalities.
The upgrade process is scheduled to minimise disruptions and is communicated to all stakeholders.
In this phase, system performance is systematically monitored, ensuring that hardware, software, and network configurations function correctly and address any identified issues.
Moreover, proper change management of Computerized System Validation must be performed.
The reliance on outdated operating systems in the pharmaceutical industry poses critical challenges, including cybersecurity risks, non-compliance with regulations, and operational vulnerabilities. With Microsoft ending support for Windows 10 in 2025, timely migration to modern platforms like Windows 11 is essential to ensure data integrity, system security, and regulatory adherence.
A structured migration approach can minimize disruptions while addressing the unique needs of critical operations.
