– Microsoft is ending assist for its legacy IT infrastructure merchandise Windows Server 2008 and 2008 R2 on Jan. 14, 2020. After that date, Microsoft will now not present common safety updates for these merchandise.
Microsoft is providing two choices for organizations working Home windows Server 2008 and 2008 R2: improve to Home windows Server 2016 or rehost workloads to Microsoft cloud service Azure. In fact, upgrades price cash and trigger disruption to the group’s techniques and processes.
Microsoft’s ending assist for Home windows Server 2008 and 2008 R2 might additionally current regulatory challenges for healthcare organizations working these merchandise.
In its June 2018 Cybersecurity Newsletter, OCR pressured that HIPAA coated entities (CEs) and enterprise associates (BAs) want to make sure their software program and techniques are up to date to mitigate vulnerabilities.
“Beneath the HIPAA Safety Rule, CEs and BAs are required to guard their ePHI, which incorporates figuring out and mitigating vulnerabilities of laptop applications and techniques that would have an effect on the safety of ePHI. Figuring out software program vulnerabilities and mitigating the related dangers are necessary actions for CEs and BAs to conduct as a part of their safety administration course of and technical evaluations,” OCR defined.
“This contains figuring out and mitigating dangers and vulnerabilities that unpatched software program poses to a corporation’s ePHI. Mitigation actions might embody putting in patches if patches can be found and patching is affordable and acceptable,” OCR associated.
“In conditions the place patches usually are not accessible (e.g., out of date or unsupported software program) or testing or different considerations weigh in opposition to patching as a mitigation resolution, entities ought to implement affordable compensating controls to cut back the danger of recognized vulnerabilities to an affordable and acceptable stage (e.g., proscribing community entry or disabling community companies to cut back vulnerabilities that might be exploited through community entry),” it added.
“Profitable HIPAA compliance requires … reviewing techniques for unpatched vulnerabilities and unsupported software program that may depart affected person data vulnerable to malware and different dangers.”
Mike Semel, president and chief safety officer of Semel Consulting, stated that his agency performed an evaluation for a medium-sized healthcare group and located that 121 of their 122 PCs and 15 of their 17 servers wanted to changed due to Micrsoft’s determination (Microsoft can be ending assist for Home windows 7 on the identical date).
Semel estimated that this could price the group greater than $200,000 and take greater than seven weeks of continuous work.
“My expertise is that everybody from the IT division to administration underestimates the time it takes to configure a safe and compliant system, go to a consumer’s desk, crawl round on the dusty flooring to unplug the previous system, set up the brand new system and take a look at it, correctly get rid of the previous system, after which doc every alternative at a stage that may stand up to a HIPAA audit or breach investigation,” he associated.
“Our shopper has two IT employees members who’re already stretched to assist their workforce, and whose assist wants received’t go away for 7 weeks so the computer systems might be changed. Neither tech has the Microsoft certification for securely configuring the latest server working system, so add one other week or two for that,” he added.
HIPAA fines might be levied on healthcare organizations that postpone upgrades previous the Jan. 14 date. For instance, Anchorage Neighborhood Psychological Well being Providers (ACMHS) was fined $150,000 for an ePHI information breach affecting 2,743 people.
“OCR’s investigation revealed that ACMHS had adopted pattern Safety Rule insurance policies and procedures in 2005, however these weren’t adopted. Furthermore, the safety incident was the direct results of ACMHS failing to establish and tackle fundamental dangers, comparable to not recurrently updating their IT assets with accessible patches and working outdated, unsupported software program,” the OCR bulletin defined.
Then OCR Director Jocelyn Samuels commented: “Profitable HIPAA compliance requires a typical sense strategy to assessing and addressing the dangers to ePHI frequently. This contains reviewing techniques for unpatched vulnerabilities and unsupported software program that may depart affected person data vulnerable to malware and different dangers.”