By DANNY JETER, CISSP
When it comes to security, healthcare managers do their best to balance risk and costs. In 2019 and 2020, that balance will be harder to maintain when “extended support” for some Microsoft products ends and forces healthcare organizations to upgrade or replace systems to remain compliant.
Security risks will increase when Microsoft stops providing security patches for several versions of its flagship operating systems. If your business uses Windows Server 2008 or SQL Server 2008 for networking, databases, messaging, and other office productivity, be aware that extended support for these products will end very soon.
Microsoft will end support for SQL Server 2008/R2 on July 9, 2019 and Windows Server 2008/R2 on Jan. 14, 2020. That means you have less than 12 months to migrate to a new platform, which could mean full replacement of systems and hardware. Microsoft will also end support for Windows 7 on Jan. 14, 2020.
What Does End of Extended Support Mean for Your Business?
Chances are if you haven’t upgraded or replaced your internal systems in a while, your organization may be running on these operating system versions. Most EMR and ancillary software systems utilize Windows Server and SQL databases to store and process their data. End of support refers to the date when Microsoft no longer provides automatic fixes, security updates, or online technical assistance. Vulnerabilities in the operating system that are discovered after these dates will not be fixed by Microsoft. Furthermore, after that date Microsoft will no longer offer any type of support for the operating systems. It won’t be long before those systems are specifically targeted and exploited by hackers, criminals, and other bad actors.
Inaction Puts Your Business at Risk of Non-Compliance and Security Breaches
Healthcare organizations are subject to HIPAA regulations and mandated to take “reasonable security measures” to protect patient data. Running non-supported Microsoft applications puts organizations at risk of penalties and huge fines because they will no longer receive proactive patches and security updates. Risk of non-compliance and breach potential increases exponentially after the end dates outlined above. Unsupported operating systems will be more vulnerable to malicious attacks. In addition, businesses that accept credit cards may lose their merchant privileges if they continue to run on an unsupported operating system. In short, your business, and your data will be at risk.
What Should I Do?
You still have time to prepare and protect your business, provided you begin the process soon. This can take time, but with planning and the right guidance, you can ensure a smooth, successful transition. Here are a few pointers to get started:
- Assess your situation by identifying servers running Windows Server 2008, SQL Server 2008, or Windows 7 Computers.
- Take this time to carefully plan for any changes to your IT environment for the next 5 to 10 years.
- Decide if moving applications to the cloud or hosted datacenter would be an option.
- Evaluate applications impacted when upgrading to newer Microsoft products.
- Define a timeline and budget to replace hardware and software.
- Ensure Line-of-Business applications and vendor support is currently place.
- Consider and address how security, patching, and operational issues are managed.
- Work with a qualified IT provider to complete your upgrade or migration.
SQL Server 2008/R2 – mainstream support is expired, and extended support will end July 2019
Windows Server 2008/R2 – mainstream support is expired, and extended support will end January 2020
Windows 7 – mainstream support is expired, and extended support will end Jan. 14, 2020
Office 2010 – mainstream support is expired, and extended support will end Oct. 13, 2020
Danny Jeter, CISSP, MCSE, is president and founder of Jeter IT Solutions, a Managed IT & Cyber Security Services company headquartered in Nashville, TN.
Contact Danny Jeter at firstname.lastname@example.org or call 615-863-4620. Visit www.jeterit.com for details on the full range of our managed IT, cyber security, and business continuity services available to healthcare organizations.