Stay Compliant After the Windows Deadline

What will your executives, board, and the public think if you report a breach that could have been prevented? If you have Windows 7 and Windows Server 2008 systems, doing nothing isn’t an option.

After January 14, 2020, Windows 7 and Server 2008 will no longer receive critical security patches and updates from Microsoft. That means systems running those operating systems will be vulnerable to newly-identified risks that will not be fixed with patches, and continued use will be non-compliant with HIPAA and other regulations. Other unsupported software, such as Microsoft SQL Server 2008, which was retired in July 2019, also presents security and compliance risks.

Fortunately, Microsoft has a way to buy extended support instead of replacing everything by the looming deadline.

For the next 3 years, Microsoft will sell Extended Support Updates (ESU) so you can still get critical security patches and updates for Windows7. For SQL Server and Server 2008, you must have Software Assurance licensing. Only Microsoft Cloud Service Providers (CSP) can sell the Extended Support Updates. Prices range from $ 25 – $ 200 per system, which will increase each year until the ESU program ends in 2023.

While this may seem pricey, consider the risks.


The Equifax breach was caused by the company’s IT staff not installing a security patch to a server. The Equifax FTC settlement was $ 700 million.

Wired Magazine’s headline says it all:

Equifax Officially Has No Excuse

A patch that would have prevented the devastating Equifax breach had been available for months.

That’s really bad. What is worse is continuing to use systems that cannot get patches at all.

In its most recent ransomware guidance, the FBI said the two most important ways to protect against ransomware are good backups and… “Make sure all installed software and operating systems are kept updated. This helps to prevent vulnerabilities from being exploited by the attackers.”

What Could Possibly Go Wrong?

Technical risks are catalogued and ranked using the Common Vulnerability Scoring System (CVSS), an open framework for communicating software vulnerabilities to incident response teams.

Since Windows Server 2003 lost its patches and updates in 2015, it now has 327 known critical vulnerabilities (scores between 7 – 10). Of those, 23 are ranked 10, the highest risk possible. (Source: CVE Details)

Cost Justification

Business risks are huge. According to the 2019 IBM Cost of a Data Breach Report, the average breach cost for companies below 1,000 employees was $ 2.65 million. And, cyber liability insurance policies require you to consistently implement security controls (like patching) or they may not pay when you need them.

Beazley Insurance reported an average ransomware demand of $ 116,000, and Datto reported the cost of downtime caused by ransomware was 23 times the ransom demand.

Companies and executives are often blamed, in high-profile class-action or shareholder lawsuits, for not doing enough to protect critical data. Patients recently sued a regional hospital after a ransomware attack, alleging that the hospital’s failure to protect their data affected their health. In 2019, lawsuit settlements were announced that ranged from $ 6 million (Banner Health) to $ 74 million (Premera).


If you have written cyber security policies, they undoubtedly require that you implement a security program that includes patches and updates. Even if you don’t have formal policies, you must comply with the data protection promises you make to consumers in your website’s privacy policy. You also have to comply with at least one state data breach law (all states have laws that protect data).

The HIPAA Privacy Rule requires that medical information be protected, and the HIPAA Security Rule requires that systems be protected against malicious software. You tell patients that you will protect their information, and having a breach violates that promise.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said former OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

If you take credit cards, PCI compliance requires patches and updates. The recently-enacted New York SHIELD Act will soon require all businesses that store information about New Yorkers to have safeguards in place to identify and control risks, which will be impossible with outdated and unsupported software.

Perhaps the greatest enforcement will come from the Federal Trade Commission (FTC), which uses its wide authority to protect consumers by enforcing cyber security best practices. Consider it a warning to your business that the FTC issued guidance in 2019 entitled “Update Your Software Now.”

The FTC considers weak cybersecurity to be an unfair business practice.

You don’t want to be telling the FTC you still use software that can’t be updated.

About the author

Mike Semel

Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.