Healthcare groups still deploying Windows 7 and Windows 2008 have a very short amount of time left to upgrade the operating systems before Microsoft support will be discontinued. Support for both operating systems will cease on January 14, 2019.
As of January 14, 2020, no more patches and updates will be made available by Microsoft so the operating system will potentially be susceptible to attack. Cyberattacks are unlikely to begin the second support comes to an end, but any weaknesses in the operating system discovered after January 14 will remain unaddressed. Exploits could therefore be designed to exploit Windows 7 flaws and through those compromised devices, attacks could be kicked off on other devices on the network. As the number of weaknesses grow, the risk of a cyberattack will increase.
According to Forescout the healthcare sector has the largest percentage of Windows 7 devices of any industry. A report earlier this year indicated 56% of healthcare groups are still using Windows 7 on at least some devices and 10% of devices used by healthcare groups are running Windows 7 or modified versions of the operating system. It has been calculated that approximately 70% of all IoT and medical devices will still be deploying Windows 7 or other unsupported operating systems by January 14, 2020.
The ongoing use of unsupported operating systems is a breach of HIPAA. If a weakness in Windows 7 is exploited after the January 14 deadline and protected health information is exposed, healthcare groups could face a regulatory fine.
Healthcare groups unable to upgrade before January 14 have one solution available to them. Microsoft will be continuing to provide extended security updates to enterprise Windows 7 users for a yearly per device fee. Extended support will be expensive. Microsoft will be charging $25 per device in 2020, $50 per device in year 2021, and $100 per device in 2022. Extended security updates for fee paying enterprises will cease in January 2023.
