Is Your Health Care Organization at Risk? Microsoft Ends Support for Windows 2007

January 29, 2020Articles

On Jan. 14, 2020, Microsoft ended support for its Windows 2007 operating system. This means Microsoft will no longer issue regular security updates for users of Window 2007.

The process of issuing security updates for computer systems is commonly referred to as “patching.” Similar to fabric patches that repair holes in clothing, software patches repair holes in computer programs. In other words, software patches are updates that fix defects or vulnerabilities within a program not known at the time the program was developed. Typically, operating system developers, such as Microsoft, will issue patches as soon as possible to fix critical vulnerabilities. However, developers eventually stop creating patches for older systems that are no longer in production. Further, Microsoft support staff will not be available via phone or email to help with any security-related questions for Windows 2007.

Why should health care organizations be concerned? According to recent research from Cisco’s Duo Security[1], more 56 percent of health care organizations still use the now-outdated Windows 7 operating system, while just 44 percent have implemented Windows 10.

Companies that use unpatched systems face significantly higher cybersecurity risk. For example, 2017’s WannaCry ransomware attack affected nearly 230,000 devices across the world and caused nearly $4 billion dollars in losses.[2] Notably, the WannaCry ransomware variant exploited a vulnerability in Windows 7 systems for which Microsoft had issued a patch months earlier.  One of the largest victims of the attack was the United Kingdom’s National Health Service, which had to cancel approximately 20,000 appointments as hospitals and clinics were forced offline.[3]

As a result, your organization should accelerate its migration away from Windows 7 while limiting the program’s use in the interim. Since cyberattacks have increased in frequency and severity, your organization also needs to develop a cyber-resiliency plan that ensures processes are in place in the event a security incident occurs. Patient care and safety is a primary component of such a plan, but other considerations include scheduling, billing, and payroll.

If you have any questions regarding security measures your organization can implement to protect against or recover from cyberattacks or general questions regarding compliance with cybersecurity regulatory frameworks, such as HIPAA, please contact your Dinsmore health care attorney.




[3] Id.