CategoryCybersecurity

Windows 7 or Windows Server 2008? Time To Upgrade!

This article previously published at EagleConsultingPartners.com

Microsoft is ending support for Windows 7, Server 2008, and Server 2008 R2 operating systems in January 2020. Upgrade this year to avoid security vulnerabilities.

All software products have a life-cycle. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running the Windows 7 operating system. After this date, this product will no longer receive free:

  • Technical support for any issues
  • Software updates
  • Security updates or fixes

Computers running the Windows 7 operating system will continue to work even after support ends. However, using unsupported software may increase the risks from viruses and other security threats.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to upgrade to a currently supported operating system.

-- US Cybersecurity and Infrastructure Security Agency announcement, March 19, 2019 (emphasis added)

Why Should You Upgrade?

Why should you upgrade your systems before this end-of-life, instead of just using them for as long as they work? The biggest reason is that outdated and unsupported operating systems are a security risk that will only get worse over time. After the end-of-life in January 2020, "Microsoft will stop delivering security updates automatically, and by then most third-party vendors will have dropped support as well" [5].

As Takeshi Numoto of Microsoft describes it, "End of support means the end of regular security updates. With cyberattacks becoming more sophisticated and frequent, running apps and data on unsupported versions can create significant security and compliance risks" [4]. Microsoft typically issues security updates every month for various levels of vulnerabilities. So far in 2019, Microsoft security updates have addressed 94 "Critical" or "Important" severity vulnerabilities in each of these operating systems. In January 2020, these updates will stop. All vulnerabilities discovered after that point – and there will be plenty – will not be fixed.

The history of Windows XP provides an apocryphal example. Within months of the Windows XP end-of-life in 2014, compromise of the operating system was widespread. Of particular note, Windows XP weaknesses were at the heart of the WannaCry global ransomware attack in 2017 that crippled hundreds of thousands of computers and caused billions of dollars in damages [6,7].

This isn't hypothetical risk.

A Decade of New Technology

Windows Server 2008 came out in… you guessed it, 2008. Windows 7 first reached consumers in 2009. Both of these operating systems are a decade old, which is an eternity in technology terms.

"It’s incredible how much and how rapidly technology evolves. Microsoft’s server technology is no exception. We entered the 2008 release cycle with a shift from 32-bit to 64-bit computing, the early days of server virtualization and advanced analytics. Fast forward a decade, and we find ourselves in a full-blown era of hybrid cloud computing with exciting innovation in data, artificial intelligence, and more," explains Microsoft's Numoto. [4]

Meanwhile Windows 7 was followed by Windows 8, 8.1, and now Windows 10. Modern operating systems, such as Windows 10 or Server 2019, and cloud infrastructure such as Azure have been built with security, capabilities, and features that weren't imaginable ten years ago.

Modern systems are faster and more powerful, which has direct productivity impacts.

Upgrading from Windows 7

A few factors to consider when planning to upgrade your Windows 7 machines:

  1. If you don't have an IT managed services provider (MSP) or professional in-house IT team, now is the time to get one. Rely on professionals when upgrading PCs in an office environment, particularly for systems with access to Protected Health Information.
  2. Consider compatibility issues with legacy applications. Older applications, for instance older locally-hosted EHRs or billing applications, may have compatibility issues with Windows 10 or other modern operating systems. Your MSP can help you navigate these challenges. Or this may be the final straw for transitioning away from that legacy system.
  3. Assess your hardware. Depending on when you bought your PCs, the machines may not be able to handle an operating system upgrade. Look into buying new computers.
  4. Review your operating system options. Windows 10 Pro is the default answer here. The "Pro" level comes with BitLocker disk encryption included, which the "Home" version does not. Also consider Microsoft 365, a relatively new offering from Microsoft for small and medium businesses that includes subscriptions to Windows 10 Pro, Office 365, and a number of additional security features. Finally, if you need limited computing capabilities and do most of your work on the internet, such as through a web-based EHR, take a look at something like Chrome OS, which runs on inexpensive PCs and offers a variety of security and management features.
  5. Finally, take this opportunity to implement security best practices when upgrading your systems. At a minimum, activate full-disk encryption and strong workstation password policies. Even better, implement an industry-vetted security guide such as the Microsoft Security Baselines or CIS Benchmarks.

Upgrading from Windows Server 2008 / 2008 R2

Some further considerations for server upgrades:

  1. IT Professionals. Ditto my comments above. Whether in-house or outsourced, get good IT professionals and let them run this process.
  2. Compatibility issues may be the one reason you can't upgrade your server(s) right away. Consider this the right time to start – or push forward – management discussions about moving to a modern EHR, billing software, or whatever other key application is holding you back.
  3. This is also the time to question whether you want to keep servers in-house or move to cloud-based infrastructure such as Azure, AWS, Google Cloud, etc. Both local and cloud-based servers have benefits and risks. Our security risk assessment and risk management consulting can help you weigh your options and determine what is right for your organization.
  4. And as with the workstations, new server implementation is a perfect time to build in some extra security hardening best practices, such as the CIS Benchmarks.

What if You are Stuck with Legacy Systems?

We understand that maintaining legacy systems is sometimes unavoidable. We run into $100,000 medical devices that run Windows XP, old billing software that has to be maintained for data retention, and even HVAC systems that only use Windows XP and that would require half a million dollars to replace. In cases like these:

  1. Harden the systems as much as possible using CIS Benchmarks or other industry security standard.
  2. Isolate these legacy systems from everything else. Keep them off the internet and put them on a separate network from sensitive databases and critical applications.
  3. Continue looking for ways to mitigate the risks to your organization from these legacy and unsupported systems until such time that you can upgrade or replace them.

Bottom Line

Protect your organization and the people you serve. Prevent a significant risk to your information systems. Save yourself from some ongoing headaches. Upgrade your Windows 7 and Windows Server 2008 machines before the end of the year.

Resources and Further Reading

Image Sources: Windows 7. Windows Server 2008.

10 Cybersecurity Basics for Small Practices

This article previously published at EagleConsultingPartners.com

Small medical practices are not immune from cyberattacks, but complex recommendations are overwhelming. We present our top 10 cybersecurity basics to protect against data breaches and other cybersecurity risks.

Top 10 Cybersecurity Recommendations for Small Practices

  1. Know Your Assets. Your assets include computer hardware such as PCs and routers, key software applications such as EHR, PM, Email and cloud file sharing, any medical devices that store or transmit ePHI, and your sensitive data, such as ePHI, billing records, HR/payroll, and business financials. Keep an up-to-date inventory of what you have and where it is. This doesn’t need to be fancy – a simple spreadsheet is fine. Just consider: If you don’t know what you have and where it is, how can you keep it protected? Putting together this inventory is among the first things we do when conducting a risk assessment for our clients.
  2. Know Your Risks. Too often I hear from clients the mistaken assumption that “we are too small to get attacked.” The reality is very different. Broadly speaking, cybersecurity risks only come in a few scenarios, any of which could easily affect a practice of any size. A good security risk assessment will help you understand your particular risks and worst-case financial impacts. Routine risk assessments are required for HIPAA compliance. Here are the most common risks:

    • Targeted attack by an outsider. A nation-state, organized criminal group, or lone hacker specifically targeting an organization, usually for financial, intelligence, or personal reasons. Small practices benefit here from obscurity and anonymity; on the other hand, bad actors know that small organizations have fewer defenses and are easier targets.
    • Random attack by an outsider. Most ransomware and other malware attacks fall into this category: infections in the medical sense of the word designed to spread autonomously from host to host across the internet, with no concern for geography or your practice size. (For an eye-opening view of this, read WIRED’s excellent exposé, The Untold Story of NotPetya, the Most Devastating Cyberattack in History.)
    • Malicious insider. A current or former employee who takes advantage of insider access is more common than most people are willing to admit.
    • Non-malicious error. This is the most frequent source of data breaches in the healthcare industry, according to the Verizon 2018 Protected Health Information Data Breach Investigations Report.
    • Third-party risk. Don't forget the risk that one of your trusted third parties will screw up!  Perhaps your EHR vendor, billing company, or IT service provider – experiences one of the above incidents.  You are ultimately responsible for their mistakes.
  3. Obtain Cyber Insurance. Get insurance coverage to mitigate the possible financial impacts of a data breach, loss of practice data, extended system downtime, and other cybersecurity concerns. This insurance is generally inexpensive. But the details matter, so work with a broker that really understands cyber policies.
  4. Backup Your Data. Make sure your sensitive data is backed up regularly, effectively, and securely. If using a cloud EHR and/or PM, understand how your vendor is backing up your data and how to get access to the backups during an outage or security incident.
  5. Keep Systems Up-To-Date. Use computers with modern operating systems. Apply patches and security updates at least monthly for operating systems, browsers, Adobe products, and Java.
  6. Enforce Secure Logins. Require strong password policies on all sensitive systems: minimum 8 characters (though I generally recommend at least 10) with some complexity such as numbers or special characters. Train employees to create good passwords (hint: not “Password1234” or “Spring2019!”) and to use unique passwords for each system. Passphrases (ex: “DandelionSharpenerBounce23”) are both easier to remember and generally more secure than the typical password (ex: “C@pta1n$”). Turn on multi-factor authentication (aka two-factor authentication or 2FA) wherever possible for an extra layer of protection around account logins.
  7. Provide Employee Security Awareness Training. Employees are the most frequent targets of bad actors. Cyber-aware employees become a strength rather than a weakness. Train employees on the cyber risks to the practice. Teach them safe web browsing and email practices, how to recognize phishing and social engineering, and how to identify and respond to possible malware attacks. Conduct this training annually at a minimum, but consider whether a more robust and engaging security awareness program might be right for your organization.
  8. Install a Commercial-Grade Firewall. The router from your internet provider might be fine for Netflix at home, but when handling, storing, and transmitting sensitive data like ePHI, you want the security of a commercial-grade firewall/router. Commercial firewalls provide threat prevention, block attacks, filter malicious traffic and websites, and also offer speed and performance benefits. Furthermore, numerous attacks have been targeting the weak security of consumer-level routers in recent years. The Mirai botnet and the recent VPNFilter malware that triggered a public FBI alert last year are two examples.
  9. Encrypt Devices. Implement full-disk encryption on PCs, servers, smartphones, and any removable media used in the practice. This encryption protects data stored on these devices from being accessed in case of physical loss or theft. The Department of Health and Human Services has been saying for years that encryption is key to preventing healthcare security breaches.
  10. Monitor System Use. One of the biggest cybersecurity challenges for small organizations in any industry is knowing if they have been attacked or compromised. Small practices only need to invest in a little bit of monitoring to make a difference here. These recommendations aren’t perfect, but they’re a good start:

    1. Review remote logins & login attempts. Keep any eye on who is accessing or trying to access your network remotely via the firewall. Red flags would include login attempts at abnormal hours or from unusual locations.
    2. Monitor EHR logins. Particularly if using a cloud-based EHR, regularly check the access logs for logins at abnormal hours, unusual locations, or anything else that might indicate a compromise. Same goes if you use a cloud-based Practice Management system or similar.
    3. Conduct internal EHR audits. Regularly review EHR audit logs for unusual behavior, records access, or updates. These could indicate a potential insider threat or compromise by an outside attacker.

Bonus Recommendation #11: Hire a Security-Conscious IT Managed Services Provider. For most smaller practices, it makes sense to outsource many of the above responsibilities to an IT Managed Services Provider (MSP) with good security capabilities. Quality MSPs who understand the security concerns in healthcare can implement these core recommendations professionally and efficiently, allowing your practice to go back to what you really want to be doing – practicing medicine.

Questions about any of these recommendations? Interested in help with a risk assessment or other compliance need? Get in touch with us today via our contact page.


Additional Resources:

Don’t use Internet Explorer, says Microsoft Security Chief

This article previously published at EagleConsultingPartners.com

Internet Explorer Browser Meme

Internet Explorer is a “compatibility solution” not a “modern browser”, explains Microsoft’s lead for cybersecurity in a recent blog post.

Do you use the Internet Explorer web browser on a regular basis? Does your practice or organization? Well, the message from a Microsoft cybersecurity leader is to STOP!

Chris Jackson is a Microsoft cybersecurity expert. In a post published on the Microsoft Windows IT Pro blog, Jackson put in writing what IT professionals have been quietly saying for years: Internet Explorer is not a modern browser. It is a big risk on the internet and exists only for use with legacy systems or applications that don’t work with newer browsers.

“You see, Internet Explorer is a compatibility solution. We’re not supporting new web standards for it and, while many sites work fine, developers by and large just aren’t testing for Internet Explorer these days. They’re testing on modern browsers. “

Maybe they should stop calling it “Internet” Explorer?

Jackson doesn’t comment on which browsers you should be using. He doesn’t even recommend Edge, Microsoft’s current “flagship” browser. I don’t recommend using Edge either, as Microsoft has been slow to update it and is soon going to kill the current Edge to completely rebuild it on the same underlying system that Google Chrome uses.

Which Browser Should I Use?

Internet Explorer Browser Meme

When it comes to default everyday internet use, there are only three real recommendations: Chrome, Firefox, or Safari. Since we’re talking about alternatives to Internet Explorer, I’ll assume you’re on Windows and ignore Safari for the rest of this post.

Chrome: Chrome is king right now in terms of overall usage, with an impressive 62% of web browsing happening via a Chrome browser (per Wikipedia, data as of December 2018). It is an excellent browser, fast, and easy to use. Chrome automatically updates itself, so users and IT admins don’t have to worry about running updates. Long story short: If you have no idea which browser to be using, just use Chrome.

Firefox: Firefox is neck-in-neck with Chrome in terms of overall quality and capabilities, though it has barely 5% of the browser market share. If you haven’t looked at Firefox recently, an extensive overhaul last spring transformed it into a serious Chrome rival. Firefox is my browser of choice, for what that’s worth. Consider trying it (especially if you have any concerns about Google’s ever-growing reach).

But I Have to Use Internet Explorer Because…

I know, I know – you have to use Internet Explorer because XYZ application on your network requires it or ABC website only works on Internet Explorer. I get it, and so does Chris Jackson. This is why Microsoft hasn’t completely removed Internet Explorer from our lives. These legacy and compatibility needs are out there.

Jackson’s point, and the one thing I want you to take away from this post, is that you should only use Internet Explorer for these compatibility purposes. Anything else is a security risk. For surfing the web, checking webmail, Amazon, Netflix, Facebook, Twitter, banking, and everything else you’re doing online, use a modern web browser like Firefox or Chrome. End of story.

Nota Bene:

  • For you Mac/Safari users: Safari is a perfectly fine browser. Carry on. Or consider one of the options above.
  • If you read this and said, “But Mike, what about Chromium, Opera, Vivaldi, etc.?!”, then you already know enough, so stop reading and go help others in your organization get sorted out!
  • For the technically-inclined, read Jackson’s post for his explanation of why Internet Explorer is so flawed. It is linked in the sources below.

Sources: Chris Jackson’s post on the Microsoft Windows IT Pro BlogZDNetWikipedia; Header Image; Image 2

© 2019 Musings

Theme by Anders NorénUp ↑