Guest post by Ali Din, senior vice president, dinCloud.Ali Din
With support having ended for Windows Server 2003, many organizations are left asking how to proceed with the soon-to-be obsolete server operating system. For organizations held to regulatory compliance standards, this question holds additional complexity. One of the industries undoubtedly scratching its proverbial head this week as support ends is healthcare.
Over the past few years, HIPAA, the Health Insurance Portability and Accountability Act of 1996, and HITECH, The Health Information Technology for Economic and Clinical Health Act, have largely determined the trajectory of IT and operations in healthcare. Perhaps most notably, HIPAA has helped govern patient security as healthcare institutions were incentivized to migrate health records to an electronic format through meaningful use. As EHRs, cloud and mobility solutions abounded, HIPAA guidelines dictated privacy and security standards for the industry. Today, many healthcare organizations are faced with a similar transition. Like all organizations, healthcare institutions have the option to migrate their servers to a supported operating system, which typically includes a corresponding hardware upgrade. Alternatively, they can migrate these workloads to the cloud. However, as reported by the Wall Street Journal, “analysts say that the technology [Windows Server 2003] is more prevalent in healthcare, utilities and government,” demonstrating that inaction seems to be more prevalent in the healthcare sector than one would think.
Those who have not yet migrated from Windows Server 2003 will be exposed to significant security risk and may compromise HIPAA compliance, as it is unlikely the operating system will remain a HIPAA supported platform.
The implications of not migrating extend beyond just the affected server. One unpatched vulnerability can compromise an organization’s entire infrastructure.
End of support means that Microsoft will no longer issue patches and security updates for Windows Serer 2003, and the resulting security risk is so severe, US-CERT, a branch of the Department of Homeland Security, issued a security alert warning of the “impact” of end of support. The alert states, “organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.”
Like the security risk, cost for extended support will also compound for healthcare organizations. Microsoft is charging $600 per server for the service, which will quickly add up.
With the risk and cost associated with not migrating, why are so many healthcare organizations approaching the deadline with no foreseeable migration plan? Like many goings-on in the industry, it’s complicated.
One factor is that some mission critical applications may not transition to a supported platform. That leaves IT administrators choosing between migration and applications that, in some cases, may be in daily use by their workforce.
And, finally, if it ain’t broke (yet), don’t fix it. Like many industries, healthcare organizations are often seeing heightened demand placed on smaller teams, which doesn’t leave ample time for proactivity. In these scenarios, migration planning may not have been prioritized with budget or resource allocation.
However, with end of support approaching in just a few days, regardless of the reason why these organizations didn’t migrate, they will soon be faced with the consequences.
So what’s next?
For many healthcare organizations, the cloud is an ideal migration destination. For those who do not have the time to migrate, one option is extending the life of legacy Windows Server 2003 software through virtualization. As reported by Computer Weekly, “since virtualisation separates PC server hardware from the OS, legacy operating systems can exist for much longer since they are able to run on newer servers.”
Beyond this interim step, the cloud is an ideal migration path for many healthcare organizations. Cloud platforms offer high performance architecture, reliability, scalability, and perhaps most importantly for this industry, HIPAA compliance support from some service providers.
Given the aforementioned complexities, it’s likely that healthcare organizations will need to consult with service providers, to help lead the migration and offer ongoing support for whichever route they choose. As the end of support deadline approaches in just mere days, healthcare organizations have no choice but to step back and assess their options. As we’ve seen, end of support extends far beyond the server layer, and organizational compliance may be at risk.