Windows Server 2003 End-of-Life and HIPAA
Microsoft maintains a software support lifecycle for all of their products that ensures customers are not surprised when support drops off on older platforms. Business desktop and server operating systems are supported for a total of ten years. This ten-year period consists of two five-year stages with different types of support provided: mainstream support and extended support.
Windows Server 2003 extended support ends on July 14, 2015. After this date, Microsoft will no longer provide security updates for Windows Server 2003. This could represent a risk in maintaining HIPAA compliance for health care providers on Windows Server 2003.
HIPPA Concerns for Health Care Providers
The HIPAA regulations are covered in the Code of Federal Regulations (CFR) Title 45. As per the HIPAA Security Rule section 164.308(a)(5)(ii)(B), health care entities must have “procedures for guarding against, detecting and reporting malicious software” in place.
It will be difficult to “guard against” malicious software on servers running the unsupported operating system once Microsoft stops providing security updates for Windows Server 2003. Merely having this operating system version in your data center after July 14, 2015 could be putting you at risk. There are dangers involved even if you do not have parts of your EHR system running on Windows Server 2003.
- Cybercriminals will work harder on unsupported software platforms to find exploits and vulnerabilities to attack
- Third party vendors will likely offer some protection for unsupported operating systems but will phase that support out over time
- When security updates are released for supported operating systems, hackers will reverse engineer those updates and test those vulnerabilities against unsupported operating systems
Easy Steps to Prepare and Protect
The first step is to determine your exposure and perform a complete inventory of Windows Server 2003 servers in your environment. The location of servers and workloads running on these servers will also help in determining where you are most exposed. Armed with this information, determine which servers to retire and which to upgrade.
Cisco Advanced Services Can Help
We work with customers on implementing new technology or updating older systems every day. If you need assistance moving off Windows Server 2003, we can help. Get in touch with your Advanced Services CSX, SSC, or Services Sales Executive to learn more about how we can deliver services to migrate and manage retirement of Microsoft Windows Server 2003 and keep your customer’s health care network compliant.