More than 71% of medical devices and 56% of healthcare organizations still use Windows 7 and haven’t seen any reason to scrap the older, but reliable version of the Windows operating system… but as of today, January 15, 2020, you better start worrying. As of today, Microsoft has discontinued security updates for this senior citizen of the IT world — at least for those who don’t pay for the extended service package that extends updates for three more years. If you signed onto your system today, you should be seeing the big warning pop up telling you that you are living on borrowed time.
This should not come as a big surprise for Windows 7 users, as Microsoft has been sending out warnings for more than a year, but for those who haven’t switched yet due to cost, complexity, or general procrastination, time is up. Your machines will continue to run, but each day your potential risk of breach increases as hackers seek to hack into any newly discovered vulnerabilities in the system with no one to stop them.
More than just getting hacked, a data breach on an unprotected Windows 7 device (including due to a ransomware attack) poses a significant risk of a substantial HIPAA fine for a tier 4 “wilful violation and failure to remedy within 30 days of discovery.” I would suggest that the 30 days starts TODAY since everyone using the system is on notice that Windows 7 is not reasonably secure for HIPAA security standards. OCR has not taken that position as yet, but it seems probable that at some point they would be justified in adopting that stance. I would hate to be in the position of the CEO, compliance officer, or CISO trying to explain that one to my board.
To be sure, the solutions are likely to be expensive and take time to implement, leaving the paid Microsoft security extension looking like the easy route. But even that is only a temporary fix that buys a few more years.