Health IT Alert: Windows Server 2003 End of Life

FBI Agent“Why is the FBI here to see me?” you are wondering when you are told that there are two Special Agents in your waiting area.  They come into your office, you close the door, and their first words are, “We have discovered that all of your patient records are for sale on the Internet.” This happens more often than you can imagine.

On July 14, 2015, Microsoft is ending security patches and updates for Windows Server 2003, a very popular operating system used by many medical practices, hospitals, and Business Associates.

So what?

  1. This is a bigger problem than last year when support ended for Windows XP. Servers are where your critical data is consolidated, and the security risk assessments we do every day show that they are not as protected as they should be. Replacing a PC interrupts the work of one user, while changing a server will interrupt your entire organization. This needs to be planned.
  1. Servers are at a higher risk if they are attacked. IT guys don’t like running anti-virus software on servers, because they believe it will slow down performance. The anti-virus software companies provide detailed guidance on how to configure their software to minimize performance degradation. We find that many IT departments and outsourced vendors don’t know this, or are just stubborn and won’t do it. Even if there is a minor performance hit, that is a side-effect of Security, like taking off your shoes at an airport or emptying your pockets when you enter a government building. Being secure is worth a little inconvenience.
  1. Our assessment tools find many servers aren’t getting the patches that are available now. Sometimes we hear from IT that they are worried that a patch might crash the server and interrupt work, so they wait a month before installing new ones. This sounds logical, until we look and find that patches haven’t been applied for over 6 months, and sometimes never.
  1. You may have a bigger problem than you can see. Servers used to be individual devices, sometimes in racks with many stacked on top of each other. You could see how many servers you had. Now many servers are virtualized, meaning one physical box can house up to 10 servers.
  1. Servers are harder to replace than PC’s. Engineers familiar with the new server operating system must properly configure the replacement for secure user and data management, migrate the data from the old server, and properly dispose of the old equipment by wiping data from the hard drives, which can take time because the drives are big. Finally they have to make sure the drives are physically destroyed. Every step must be documented and the records saved for 6 years to comply with HIPAA.
  1. You have a big financial risk if a server is compromised. A small clinic was fined $ 150,000 for using an unsupported operating system. The headline for the press release read ‘HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software.’ The director of the Office for Civil Rights said, “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
  1. The 2015 IBM Cost of a Data Breach Report was just released and the Ponemon Institute determined that a data breach of healthcare records averages $ 398 per record. You are thinking that it would never cost that much to notify patients, hire attorneys, and plug the holes in your network. You’re right. The report goes on to say that almost ¾ of the cost of a breach is in loss of business and other consequences of the breach. If you are a non-profit that means fewer donations. If you are a doctor or a hospital it could mean your patients lose trust and go somewhere else.
  1. If your server is breached and your medical records are for sale on the Internet, you have to notify the federal government, notify your state attorney general, notify your patients, inform the media, deal with the investigations (more than one because a lot of agencies investigate data breaches,) and deal with the fallout afterwards. What are you going to tell the newspaper? How are you going to look on TV? If you have a board of directors, are you going to blame your IT staff?

You can’t ignore your technology because the risks are too high. From your desk you can’t tell if a server is Windows 2003, or if it is physical or virtualized. Talk to your IT staff. Bring in an outside company to do a Security Risk Analysis. Also look for other unsupported software, like Windows XP, Microsoft Office 2003, Microsoft Exchange 2003, and old versions of Adobe Reader.

If you find you have unsupported software in your organization you need to act fast. You may have to speed up the approval and purchasing process. You may need to float the purchase on a credit card for a few months. You may have to bring in an outside vendor to deploy new servers, or to cover for your staff’s daily work while they do the deployment.

They are nice people, but you really don’t want FBI agents visiting your office.