Re: They didn't say
It won't be a 9 year old server. When I say SCHIN "isn't a company", what I mean is, it's not a company that has to make a profit - which (in the case of gevernment IT) often translates as "Does not understand the concept of loss". It'll be a dedicated Windows 2003 Advanced server, I'd guess.
As for what's up with it? Well, NHS code is generally piss-poor, so we shouldn't be that surprised. Plain text SQL injection is very likely,. Another good NHS wheeze, is transferring data in CSV files, over unencrypted connections. In fact, I once had one NHS manager tell me they didn't use stunnel because "no one understands it" (and it was perfectly clear that any attempt to understand it, would be regarded as, effectively, an admission that you hacked computer systems in your spare time).