Cybersecurity Impact of Microsoft’s End to Windows 2007 Support
Microsoft is ending support for Windows 2007 and two legacy platforms on Jan 14, which CynergisTek’s Clyde Hewitt says will rapidly increase cybersecurity risks to the healthcare sector.
By - Microsoft will end its support for Windows 7, Windows Server 2008, and 2008 R2 on January 14, marking the end of regular security updates. Given that 56 percent of healthcare still rely on Windows 7, the impact for failing to transition into newer systems could be severe.
Forescout research shows that 70 percent of all healthcare devices operate on Window systems, which will no longer be supported by Microsoft moving forward. However, Microsoft has continued to push out major patches and monitor changes to software protections each month.
But many healthcare providers fail to patch even publicly known vulnerabilities, despite the sector having the largest percentage of devices running on the outdated platform compared to other industries.
Clyde Hewitt, executive advisor of CynergisTek, noted that while the end of life support won’t mean the end of the world, it will mean a steep increase in cybersecurity risk to the sector.
“Absolutely nothing will happen on January 15: all known vulnerabilities have been patched by Microsoft,” Hewitt said. “However, the next vulnerability to be discovered will not receive a patch from Microsoft.”
“It means that when something happens, it’ll be like calling the 9-1-1 center and everyone has gone home,” he continued. “When the next vulnerability is identified, there will be no one on the phone with Microsoft. The service will be over, and organizations are going to have to fend for themselves and implement compensating controls.”
Business Continuity Planning
IT and security leaders, especially those with limited resources, should accelerate the Windows 7 exodus conversations and limit the platform’s use, Hewitt stressed.
Organizations also need to strengthen their firewalls and user training. But the most cost-effective method would be micro-segmentation of the network for “when, and not if they experience an abnormal event they can at least contain the damage.”
As attacks have become increasingly more severe, Hewitt stressed hospitals need to invest in a cyber resilient plan that includes how the providers can continue to keep their doors open in the event of a security incident, including providing care, billing, payroll, and scheduling during recovery.
"Organizations are going to have to fend for themselves and implement compensating controls.”
At the end of the day, the main risk is really to patient care and patient safety. Even when providers have emergency plans in place, Hewitt also noted that younger physicians and staff have a difficult time going back to manual ways. For example, a taking a blood pressure without the machine.
Organizations need to develop and or revise their business continuity plans to ensure they have processes in place that will allow them to manage in downtime procedures, he explained.
“Downtime procedures need to focus first on clinical because patient care is primary,” Hewitt said. “But not at the expense of other supporting business workflows, like timekeeping and payroll, which can often be more crucial – behind patient care.”
Organizations will need to be able to pay staff if a security incident becomes a long-term problem, for example. Plans will need to demonstrate ways to keep track of patients with allergies, food service issues, supply chain management, and the like.
“You don’t want to create more harm during a cyber event,” he added. “Healthcare is traditionally behind other industries. So we can start seeing an uptick in breaches if these issues are not addressed. And if there is another critical flaw discovered, especially a zero-day, it could wreak havoc on healthcare and other industries.”
A Failure in Leadership
“It’s going to take a few more organizations getting together and ending up on the front page after an event,” Hewitt said. “We are living with the sins of the past, and we have to start holding organizations accountable for making bad decisions if they do end up breached.”
“Boards of directors need to hold their CEOs and CIOs accountable,” he added. “It’s a failure in leadership: if you don’t know the information and don’t trust internal teams to give right information or unsure teams are giving the right information, your responsibility to go somewhere else to get help.”
Healthcare providers easily spend money on new physicians offices or administrative needs but fail to go out and invest in an independent system assessment of their security, Hewitt stated. They’re working to satisfy physicians, but “can’t fathom what would happen when a cyberattack causes them to go down.”
Security leaders should seek to educate the board members and other C-suite leaders on the need to reduce risk, which is more important than buying the “latest shiny widget.” Hewitt added that risk should be the focus of these crucial security conversations.
But even with ample budgets and adequate controls, providers are still struggling to keep pace with the threats.
“Those intent on creating havoc can find away around,” Hewitt said. “It’s a cat and mouse game. The cat is winning, and we’re the mice hovering in a corner…. We should not expect the big bang on January 15. It will come with a whimper until such time another vulnerability is identified and there’s an exploit.”
