The Windows 7 End of Life HIPAA Dilemma
On January 14th, 2020 Microsoft will end support for Windows 7 and Windows Server 2008 R2. That means after the next patch Tuesday Windows 7 and Server 2008 R2 will no longer receive regular security updates.
What does that mean for healthcare practices who still use Windows 7 or Server 2008 R2?
Security Risk Assessments are a required part of a HIPAA Compliance Program. As part of the SRA, you should be identifying any technology that is at risk of being vulnerable to exploits and cyber threats.
Windows 7 and Server 2008 R2 have already been exposed to very large ransomware attacks in the past. Many Windows 7 computers remain unpatched to those threats.
As of October 2019 Windows, 7 still held 27% of the Microsoft Windows market share. It is believed that the share will still be 13% (100 million computers) by 2021. That’s a lot of potential targets a year after security updates stop.
Windows 7 (and Server 2008 R2) will no longer be a secure option for your business. Once regular security updates stop vulnerabilities will be discovered. These vulnerabilities will allow cyber attackers to gain access to your computers.
Once the attackers gain access to a computer on your network it becomes easier to gain access to EVERYTHING else.
A High-Level Overview of Life After Windows 7 Support Ends
We have seen numerous cases of attackers hanging around in business networks for years before wreaking havoc. There were several well-publicized incidents just last year.
A few months after Windows 7/Server 2008 support ends there will likely be vulnerabilities. The vulnerabilities might make it easier for attackers to gain access to those Windows 7 computers.
Once the attackers gain access to even one computer in your organization, they will take their time to figure out if you have anything of value (data) and how to best exploit this.
It’s likely that they will utilize tools, many of which are free or very cheap, to gain admin-level access to your network.
Now that they have admin access, they will likely steal your data and store it where they can access it again. If your network has access to any other valuable (in the attacker’s mind) assets they will also exploit this.
Once they are confident they have their gold (data) they will most likely launch a ransomware attack.
All your data will be encrypted. The attackers will demand a ransom, and probably threaten to expose the data they stole if you do not pay up. Even if you have a great backup/disaster recovery plan in place you’re still exposed.
Your business is now at risk of being destroyed. 60% of businesses close 6 months after a data breach.
Even if you do survive you will lose customers. Your business reputation will take a big hit.
Compliance Will Crush You If You’re On Windows 7
If you’re a healthcare provider, law firm, financial firm or any other regulated business you’re going to be in even worse shape.
From a HIPAA perspective, the OCR could view this as negligence. If you perform the required Security Risk Assessment then you should have identified that Windows 7/Server 2008 R2 will be a risk after January 14th, 2020.
If you did not address it this can look as though you did not follow the recommendations from your own SRA.
More likely you didn’t conduct an SRA as required under HIPAA. The fact that you still have Windows 7 on your network is a good indication that you do not have IT or are ignoring the advice of IT. Doing so is detrimental to your practice, and even more importantly, your patients. This is a good indication that you do not have a HIPAA compliance program in place.
The good news is the OCR will probably provide “technical assistance” the first time they visit. If they do this, you should heed their advice. The second time won’t be as pretty.
It’s Not About the HIPAA Potential Fine
I say all this because financial penalties seem to scare some healthcare practices into compliance.
The truth of the matter is you’re in a business that requires you to CARE for your clients. Part of caring for your clients is protecting them.
In the IT world, a good IT vendor will go above and beyond to secure, educate and mitigate risk to their client’s technology and data.
In healthcare, you go to great lengths to protect your client’s confidentiality, integrity, and availability of their health records.
The same is true in legal and financial.
If you’re in business to care for someone you should take care of their sensitive data as well. It’s about taking care of people.
Is Windows 7 HIPAA Compliant?
The short answer is after January 14th, 2020 it will be considered an unnecessary and avoidable risk. It will not be HIPAA compliant to use Windows 7/Server 2008 even if you follow best practices (Backups, Encryption, Security Software, etc.)
You can purchase an extended support plan from Microsoft for the price and potential risk it makes more sense to just upgrade to Windows 10.
A Final Thought on Windows 7 and Server 2008 R2
Windows 7 was one of my favorite Microsoft Operating Systems. It was stable, it worked well, and it was a big improvement over Vista. Its time has sailed.
It has been a risky operating system for a few years now. It was a big target of the Wannacry ransomware outbreak that caused many businesses to go into a frenzy. Even if you were not hit by Wannacry you probably spent a lot of money mitigating the risk.
The longer you keep Windows 7/Server 2008 R2 on your business network the bigger the risk becomes. It’s time to move on. It’s time to take care of your business and clients.
It’s amazing how technology changes and how it becomes outdated and at times dangerous with age, exactly what you’re discussing here. I have a few medical clients and HIPAA is at the top of the list when it comes to anything medical. It’s important to try to predict not only the product you are working with today, but to think of its longevity in this ever-changing world of tech.
HIPAA itself will see some changes soon. Like anything else innovation needs to happen or it dies.
Good to know! I always worry about my info getting out there. I know it has happened before in the past and you always hope social security numbers and such are safe.
I don’t really have much knowledge on this kind of subjects, and I usually ask my boy friends to explain things to me. Good you clarfiy everything in such a way that even I can get familiar with certain topics. 🙂
My husbands work was on Windows 7 up until this month. I had to go on my old computer to see his benefit stuff
There are always some hiccups but overall the move past Windows 7 is smoother now. I switched to Windows 10 when it first came out and it was a bigger problem then.
Oh wow, I didn’t really know anything about this. I appreciate all this information. Thanks so much for sharing this with us!
Nobody should use software for which the support has ended. I liked Windows 7 as well, Vista was a joke, so unstable. But times have changed and now it’s Windows10’s time to shine.
You are 100% correct especially when it comes to security.
I wonder if this could be the end of Microsoft Windows? Google seems to be replacing the need for buying the office suite.
Microsoft Windows will continue to evolve as will Microsoft corporation. I still use MS Office (Office365) as do most people I know. I do find Google Docs useful at times too. The next phase will be AI and Virtual Reality.
It sounds like it’s time for an upgrade. That’s a phrase we all should be used to. It seems like software becomes obsolete so quickly now!
I kinda feel like it is a problem that companies are still using Windows 7. They should have updated long ago and then this would not be an issue.
That sounds like it’s going to be a problem. Updates are very important for so many reasons. Security especially.
I got a notification about this from my computer yesterday. She’s still on window’s 7 because it’s the best for gaming, but I suppose I’m now going to have to upgrade. I was intending on doing so anyway, just not as soon as this.
Interesting! I had no idea there was an issue!
Didn’t know that you lose support for running systems. Thanks for sharing and I will try to be up to date and keep with it.
I never knew that this was an issue. It’s amazing how technology had transformed and its uses have progressed greatly over the years. Thanks for sharing!