A part of why security fails in many organizations is due to outside influences. For the Small to midsize market, it is further amplified. Not only are organizations running lean, they are working against forces seemingly beyond their control, such as integrating with third party systems, legacy standards, and cost constraints A larger organization has the ability to flex their muscle set the standards and lobby for changes that will ultimately improve their risk posture, where a smaller company may not.
One example that comes to mind is from a friend in the medical community. They are a small, but high volume outpatient surgery center that sees approximately 70-80 patients a day. They host their own infrastructure, they keep their systems up to date, and practice good security hygiene. Small on infrastructure but heavy enough on PHI to safeguard to be paranoid.
In large part, their revenue comes from patients who fall under the category of Medicare / Medicaid reimbursements. The Center for Medicare & Medicaid Services (CMS) has mandated certain reporting requirements on hospitals, physicians offices, ambulatory surgical centers, and other medical facilities who participate in the program. The reporting system, called QualityNet is "the only CMS-approved website for secure communications and healthcare quality data exchange between: quality improvement organizations (QIOs), hospitals, physician offices, nursing homes, end stage renal disease (ESRD) networks and facilities, and data vendors." To drive compliance with the mandate, CMS has stated, as of 2013, organizations who fail to participate can see a reduction in their overall reimbursement.
The reporting process has setup a compatibility test that an organization can use to verify their configuration against the system requirements. Configuring a workstation to meet these requirements should be a simple task for a non-technical person, however it raised a few red flags. While their systems passed the verification tests provided by QualityNet, they failed to successfully submit a report. Even after bringing in their IT support contractor, they ended up on the phone with the QualityNet helpdesk. They were stuck.
After a few questions and configuration changes, the representative at QualityNet instructed them to uninstall their existing Java version and install the QualityNet setup client. The client software installs a Java runtime environment and a small application that encrypts patient data prior to sending it to QualityNet.
As stated on the QualityNet website, the requirements stipulate (at least) support for IE 6.0/7.0 and Java 1.5.0_09. According to the documentation, a current version of Java is expected to work. However, the setup client installs a version of Java from 2007 with 36 publicly documented vulnerabilities.
From the Java Foundation: guidance on dealing with older versions of Java on your systems.