Less Than a Year to Replace Windows 7 and Server 2008

When Microsoft ends support you will be unsecure and non-compliant

Time is running out. And you probably don’t have the resources you need.

Microsoft is ending security patches and updates for Windows 7 and Server 2008 in less than a year – January 14, 2020. Continued use will put your organization at-risk and in non-compliance with HIPAA.

UNSECURE

Patching security vulnerabilities is critical to protecting your data. A missed patch was the cause of the Equifax breach, hurting millions of people, costing millions of dollars and resulting in the resignation of the CEO. Some of the smartest people in the world are at the Massachusetts Institute of Technology (MIT). Number 1 on their Top Ten Safe Computing Tips is Patch, Patch, PATCH !

NON-COMPLIANT

Continuing to use systems that are no longer supported with security patches violates HIPAA’s requirements to protect devices against malicious software. The US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, issued guidance about patching that says:

Under the HIPAA Security Rule, HIPAA Covered Entities and Business Associates are required to protect their ePHI, which includes identifying and mitigating vulnerabilities of computer programs and systems that could affect the security of ePHI.

A HIPAA settlement penalized the nonprofit Anchorage Community Mental Health Services, Inc. because it “failed to implement technical security measures to guard against unauthorized access to e-PHI… by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.

“Successful HIPAA compliance requires a common-sense approach to assessing and addressing the risks to ePHI on a regular basis,” said OCR Director Jocelyn Samuels. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

We just completed an assessment for a medium-size healthcare organization. They have less than a year to replace 121 of their 122 PC’s and 15 of their 17 servers.

New business-class PC’s, and assuming a mix of physical and virtual servers, will cost over $200,000.

SECURITY

Data is worth more than gold.

Having Microsoft-certified engineers configure new systems, especially servers that house the bulk of your data, is critical to ensuring your patients, your organization, and your career are all protected.

Misconfigured servers have published patient data to the Internet, costing NY Presbyterian Hospital and Columbia Medical Center $ 4.8 million and St. Joseph Health over $2 million in HIPAA penalties. Cottage Health had to pay over $ 6 million between a $4.1 million patient lawsuit and a $200,000 fine from the California Attorney General.

Cottage Health thought its cyber liability insurance would cover the lawsuit costs, only to have their insurance company sue them to recover the settlement money after it discovered that Cottage Health had not implemented the security measures they had described on their insurance application.

A recent study published in the American Journal of Managed Care determined that hospitals that suffered data breaches had a whopping 64% increase in advertising costs.

STRAINED RESOURCES

Based on my 35+ years managing IT environments, and deploying thousands of systems, I calculated that it will take over 7 WEEKS of non-stop work for our client to replace everything.

Replacing a PC takes 2 hours, from the time the box for the new PC is opened, through all the compliance checklist items, until the old PC has had its hard drive destroyed and is disposed of, and the documentation is completed. I estimate 2.5 hours to replace each server.

121 PC’s x 2 hours = 242 hours.

Divide the hours by 40-hour weeks and will take over 6 weeks full-time just to replace the PC’s.

15 servers x 2.5 hours = 37.5 hours.

Almost a full week to replace the servers, which can only be done at night or on weekends to minimize business disruptions.

Servers must be securely configured by engineers certified in the latest operating systems, because they store your protected and most sensitive data. Extra care must be taken to ensure that they aren’t accidentally published to the Internet, causing an expensive and embarrassing HIPAA violation.

The total time for the PC’s and servers is 7 weeks of non-stop work.

Using automated tools may reduce the time to configure PC’s, which may give you a false sense that this is a quick process. However, my experience is that everyone from the IT department to management underestimates the time it takes to configure a secure and compliant system, go to a user’s desk, crawl around on the dusty floor to unplug the old system, install the new system and test it, properly dispose of the old system, and then document each replacement at a level that will withstand a HIPAA audit or breach investigation.

Our client has two IT staff members who are already stretched to support their workforce, and whose support needs won’t go away for 7 weeks so the computers can be replaced. Neither tech has the Microsoft certification for securely configuring the newest server operating system, so add another week or two for that.

They are also stretched for configuration space.  It is hard to handle the logistics of dealing with over 100 computers and servers in boxes, the bench space needed to configure multiple systems at a time, and a collections area to handle the retired computers.

Systems must be configured with effective security controls, and then deployed so users can access sensitive and protected data, print to the correct printers, and connect to the right websites. Users don’t want to lose things like their web browser favorites when they get a new computer.

So, what are their choices, since doing nothing isn’t an option?

  1. Have one of the two-person internal IT department stop supporting the needs of the staff for 7 weeks and focus 100% on deploying new systems.
  2. Spread out the 7-week deployment using the IT staff, over a long period of time.
  3. Hire, train, and manage temporary staff to deploy the new systems.
  4. Outsource the deployment project while the IT staff continues to support the workforce.

What would be your best choice?

Not number 1, because stopping end-user support is a non-starter. Your organization cannot function without half its IT support for 7 weeks straight.

Not number 2, spreading out the deployment. It might work but consider that if the project is started in May 2019, you will be diverting your IT staff for a full week per month to the deployment project. What impact will losing IT support for 1 week per month have on your organization? Don’t forget that you may already be losing IT resources to summer vacations.

Not number 3, hiring temporary staff, which is more challenging than it might seem. You need experienced IT professionals to properly configure and deploy systems in today’s threat-filled and regulated landscape. There is a cost to training and managing temporary staff, both in time and in dollars.

Number 4, outsourcing, is a service I provided when I had an IT company and is what I turned to when I was faced with this type of challenge as a hospital and K-12 school district Chief Information Officer (CIO).

By outsourcing I was able to hire a trusted IT company that had experience securely deploying thousands of systems. Their technicians and server engineers had the latest security and Microsoft certifications. They had invested in tools to automate the configurations including transferring the personal settings for each user. They used quality control checklists, so they didn’t miss things like ensuring users could print to the nearest multi-function copier.

Most important, they didn’t just talk about HIPAA – they had provided us with evidence that they truly understood the regulations we faced. They had implemented a full HIPAA compliance program. Their techs were trained in HIPAA. They knew the details of the HIPAA Security Rule and had done their own internal HIPAA risk analysis. They knew how to properly secure and destroy systems that contained Protected Health Information (PHI). The documentation and checklists they provided me were detailed. Bottom line-  I knew that they wouldn’t get me into compliance trouble and would pass a HIPAA audit if selected.

Our IT vendor helped with logistics and lowered our costs by having us ship the PC’s and servers to their office, where they configured them without impacting our space-challenged facilities. They brought the new systems onsite, deployed them, and then properly disposed of the old equipment. Everything was well-documented.

Meanwhile, our IT staff continued to support our users, maintaining customer satisfaction and worker productivity. The new deployments brought a few extra support calls, but the preparation and quality work done by our vendor minimized disruptions.

Was this expensive? Not as much as you would think compared to the lost productivity if you use your current staff, or the cost of hiring, training, and managing temporary workers. Because our vendor was skilled, certified, and experienced at large deployments, they had tools and quality control systems in place that our staff wouldn’t have thought of. The deployment team was managed by our vendor’s management team, reducing our costs even further.

Waiting will only make the problem even more challenging and more expensive.

If our client waits until, say, October to replace their systems, they will need to squeeze the work into just three months. If they approach an IT company in October, they are likely to find them busy or unavailable due to other deployment projects. (Remember, the deadline is the same for every business in every industry.)

The closer to the January 14, 2020 deadline, the likelihood is that costs will increase. If I still owned an IT Managed Service Provider company, I would be increasing my fees as the deadline approached.

The clock is ticking. Don’t wait. Be an Early Bird. You will sleep better.

 

About the author

Mike Semel

Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

   

Categories