The Windows 7 End of Life HIPAA Dilemma
On January 14th, 2020 Microsoft will end support for Windows 7 and Windows Server 2008 R2. That means after the next patch Tuesday Windows 7 and Server 2008 R2 will no longer receive regular security updates.
What does that mean for healthcare practices who still use Windows 7 or Server 2008 R2?
Security Risk Assessments are a required part of a HIPAA Compliance Program. As part of the SRA, you should be identifying any technology that is at risk of being vulnerable to exploits and cyber threats.
Windows 7 and Server 2008 R2 have already been exposed to very large ransomware attacks in the past. Many Windows 7 computers remain unpatched to those threats.
As of October 2019 Windows, 7 still held 27% of the Microsoft Windows market share. It is believed that the share will still be 13% (100 million computers) by 2021. That’s a lot of potential targets a year after security updates stop.
Windows 7 (and Server 2008 R2) will no longer be a secure option for your business. Once regular security updates stop vulnerabilities will be discovered. These vulnerabilities will allow cyber attackers to gain access to your computers.
Once the attackers gain access to a computer on your network it becomes easier to gain access to EVERYTHING else.
A High-Level Overview of Life After Windows 7 Support Ends
We have seen numerous cases of attackers hanging around in business networks for years before wreaking havoc. There were several well-publicized incidents just last year.
A few months after Windows 7/Server 2008 support ends there will likely be vulnerabilities. The vulnerabilities might make it easier for attackers to gain access to those Windows 7 computers.
Once the attackers gain access to even one computer in your organization, they will take their time to figure out if you have anything of value (data) and how to best exploit this.
It’s likely that they will utilize tools, many of which are free or very cheap, to gain admin-level access to your network.
Now that they have admin access, they will likely steal your data and store it where they can access it again. If your network has access to any other valuable (in the attacker’s mind) assets they will also exploit this.
Once they are confident they have their gold (data) they will most likely launch a ransomware attack.
All your data will be encrypted. The attackers will demand a ransom, and probably threaten to expose the data they stole if you do not pay up. Even if you have a great backup/disaster recovery plan in place you’re still exposed.
Your business is now at risk of being destroyed. 60% of businesses close 6 months after a data breach.
Even if you do survive you will lose customers. Your business reputation will take a big hit.
Compliance Will Crush You If You’re On Windows 7
If you’re a healthcare provider, law firm, financial firm or any other regulated business you’re going to be in even worse shape.
From a HIPAA perspective, the OCR could view this as negligence. If you perform the required Security Risk Assessment then you should have identified that Windows 7/Server 2008 R2 will be a risk after January 14th, 2020.
If you did not address it this can look as though you did not follow the recommendations from your own SRA.
More likely you didn’t conduct an SRA as required under HIPAA. The fact that you still have Windows 7 on your network is a good indication that you do not have IT or are ignoring the advice of IT. Doing so is detrimental to your practice, and even more importantly, your patients. This is a good indication that you do not have a HIPAA compliance program in place.
The good news is the OCR will probably provide “technical assistance” the first time they visit. If they do this, you should heed their advice. The second time won’t be as pretty.
It’s Not About the HIPAA Potential Fine
I say all this because financial penalties seem to scare some healthcare practices into compliance.
The truth of the matter is you’re in a business that requires you to CARE for your clients. Part of caring for your clients is protecting them.
In the IT world, a good IT vendor will go above and beyond to secure, educate and mitigate risk to their client’s technology and data.
In healthcare, you go to great lengths to protect your client’s confidentiality, integrity, and availability of their health records.
The same is true in legal and financial.
If you’re in business to care for someone you should take care of their sensitive data as well. It’s about taking care of people.
Is Windows 7 HIPAA Compliant?
The short answer is after January 14th, 2020 it will be considered an unnecessary and avoidable risk. It will not be HIPAA compliant to use Windows 7/Server 2008 even if you follow best practices (Backups, Encryption, Security Software, etc.)
You can purchase an extended support plan from Microsoft for the price and potential risk it makes more sense to just upgrade to Windows 10.
A Final Thought on Windows 7 and Server 2008 R2
Windows 7 was one of my favorite Microsoft Operating Systems. It was stable, it worked well, and it was a big improvement over Vista. Its time has sailed.
It has been a risky operating system for a few years now. It was a big target of the Wannacry ransomware outbreak that caused many businesses to go into a frenzy. Even if you were not hit by Wannacry you probably spent a lot of money mitigating the risk.
The longer you keep Windows 7/Server 2008 R2 on your business network the bigger the risk becomes. It’s time to move on. It’s time to take care of your business and clients.