Server 2003 Sunset Likely to Cause HIPAA Headaches, other problems
By Scott Robertson
When Microsoft announced it would end support for its Windows XP operating system effective April 8, 2014, it caused a flurry of upgrading in the consumer market. Now Microsoft has announced it will end support for its Windows Server 2003 software effective July 14, 2015.
The Server 2003 software includes some code that was written as early as 1999. At the time the software was introduced, ideas like smartphones and the cloud were almost purely theoretical. “The thought process was, ‘We’re going to load this software onto one machine and it will sit in a data center or server closet and provide access to data for many users,’” says Aaron McCray, senior network engineer for Saratoga Technologies in Johnson City. “That software is simply not designed to handle the realities of today.”
The rush to upgrade that came with XP has yet to materialize from Server 2003 users. Unfortunately, the notion of continuing to use the old Server 2003 software (as some consumers have done with XP) won’t work. For both practical and regulatory reasons, especially in the healthcare field, the drop-dead date for Server 2003 is truly a hard deadline.
The security issues created at the end-of-life date for Server 2003 dwarf those involved in XP. “All of the Windows Server products are built largely on the same platform,” says Mick Williams, executive vice president at Saratoga. “So come August and September when Microsoft releases the new security patches for Windows Server 2008 and 2012, cybercriminals will take those patches and figure out what holes they closed in the current products. Then they’ll look and see if Windows Server 2003 has the same hole. They can then use that to get into anybody who doesn’t have the current software.”
This will almost immediately present a payment card security issue, says McCray. “When Microsoft stops putting out patches, any business running Server 2003 will no longer be compliant with the payment card industry – MasterCard, Visa, American Express, Discover – every one of them use the same data security standard, and if your business is not in compliance with that, fines can be applied to that business until it comes into compliance.”
Almost all healthcare companies take credit cards, of course, but the problems in that industry only start with payment cards. HIPAA rules from the 2013 Omnibus require anyone who has access to health records maintain a fully supported operating system as defined in 20 specific tenets.
So beginning July 15, any healthcare provider with even a single instance of Microsoft Server 2003 operating will be out of compliance with HIPAA. And if you think the credit card companies can levy fines, just wait until you see what the federal government can do.
Those are just the regulatory issues. The direct effects of security breaches themselves are potentially much more harmful.
That’s why the lack of interest on the part of business to make this change is alarming to IT professionals. “Last May, HP said there were 11 million users of Windows Server 2003. They took that number, looked forward, and said, ‘If everybody were to migrate over between now and the end of life date that would mean an average of 25,000 a day,’” says Williams. “We’re not seeing that happen.”
The bad news is the change over process is not as simple as buying the latest Windows operating system and replacing XP. To do it right takes time and it may involve updating some other operations in the workplace as well. The other bad news is that between now and July 14, there’s not enough time and resources for everyone who needs to make the change over to do so. “There’s lack of hardware, there’s lack of technicians, and frankly, there’s a lack of knowledge,” Williams says.
The good news is the change over gives businesses an excellent opportunity to examine their operations, policies and procedures in order to make modifications and improvements. “Our hope is that since there is a drive to change now because of this Microsoft decision, people and businesses will look at how they do business and consider where they can use new technology to be more efficient,” Williams says.
Microsoft offers a webpage to specifically address the end of Server 2003 at microsoft.com/en-us/server-cloud/products/windows-server-2003/.