- Microsoft is ending support for its legacy IT infrastructure products Windows Server 2008 and 2008 R2 on Jan. 14, 2020. After that date, Microsoft will no longer provide regular security updates for those products.
Microsoft is offering two options for organizations running Windows Server 2008 and 2008 R2: upgrade to Windows Server 2016 or rehost workloads to Microsoft cloud service Azure. Of course, upgrades cost money and cause disruption to the organization’s systems and processes.
Microsoft’s ending support for Windows Server 2008 and 2008 R2 could also present regulatory challenges for healthcare organizations running these products.
In its June 2018 Cybersecurity Newsletter, OCR stressed that HIPAA covered entities (CEs) and business associates (BAs) need to ensure their software and systems are updated to mitigate vulnerabilities.
“Under the HIPAA Security Rule, CEs and BAs are required to protect their ePHI, which includes identifying and mitigating vulnerabilities of computer programs and systems that could affect the security of ePHI. Identifying software vulnerabilities and mitigating the associated risks are important activities for CEs and BAs to conduct as part of their security management process and technical evaluations,” OCR explained.
“This includes identifying and mitigating risks and vulnerabilities that unpatched software poses to an organization’s ePHI. Mitigation activities could include installing patches if patches are available and patching is reasonable and appropriate,” OCR related.
“In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching as a mitigation solution, entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level (e.g., restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access),” it added.
“Successful HIPAA compliance requires ... reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
Mike Semel, president and chief security officer of Semel Consulting, said that his firm conducted an assessment for a medium-sized healthcare organization and found that 121 of their 122 PCs and 15 of their 17 servers needed to replaced because of Micrsoft's decision (Microsoft is also ending support for Windows 7 on the same date).
Semel estimated that this would cost the organization more than $200,000 and take more than seven weeks of non-stop work.
“My experience is that everyone from the IT department to management underestimates the time it takes to configure a secure and compliant system, go to a user’s desk, crawl around on the dusty floor to unplug the old system, install the new system and test it, properly dispose of the old system, and then document each replacement at a level that will withstand a HIPAA audit or breach investigation,” he related.
“Our client has two IT staff members who are already stretched to support their workforce, and whose support needs won’t go away for 7 weeks so the computers can be replaced. Neither tech has the Microsoft certification for securely configuring the newest server operating system, so add another week or two for that,” he added.
HIPAA fines could be levied on healthcare organizations that postpone upgrades past the Jan. 14 date. For example, Anchorage Community Mental Health Services (ACMHS) was fined $150,000 for an ePHI data breach affecting 2,743 individuals.
“OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software,” the OCR bulletin explained.
Then OCR Director Jocelyn Samuels commented: “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”