The (Microsoft) Windows Are Wide Open for Bad Actors

On October 14, Microsoft will officially end its support for the Windows 10 operating system. Most healthcare organizations won’t be able to fully transition to Windows 11 by then because they have so many legacy applications to run. That means that bad actors will soon be launching malware that takes advantage of known openings and vulnerabilities during the Windows transition period.

Even for the biggest organizations with large model IT staffing, the transition to Windows 11 is at minimum a six-to-nine month process. First, you have to build an image and test it against all your applications. Then you have to re-image devices, train your entire staff and formally roll out the new operating system.

Microsoft will offer an Extended Security Updates (ESU) program for up to three years following Windows 10 end-of-service. It’s an annual subscription that provides critical patches but no new features or general support.

One complicating factor is that many healthcare organizations don’t consistently maintain a Microsoft Enterprise Agreement (EA) due to cost considerations. The first phase of the agreement covers the licenses and initial support, then the organization pays 85% of that amount for ongoing support and maintenance (which includes the right to upgrade to new versions of Windows).

To reduce operating costs, many hospitals and healthcare organizations will go three years on EA followed by three years off before signing a new agreement. Bear in mind that these organizations have to maintain roughly 150 to 300 applications in a delicate balance of state-of-the-art and legacy programs that may not function in the new environment. These organizations may have to lean on compensating technologies like Citrix to keep the legacy applications running in a secure manner, which further drives up costs.

Because so many legacy applications need to be supported, healthcare organizations are always a target for cybercriminals. But the threat exposure is even greater when an operating system like Windows 10 is no longer supported and maintained.

At some point, continuing to run Windows 10 will be a HIPAA violation. The Department of Health & Human Services (HHS) has yet to clarify when it will start declaring hospitals noncompliant if they’re still relying on Windows 10.

The Impact On Cyber Insurance

Many cyber insurance providers require lengthy technology and security questionnaires upon execution of a cyber-risk policy. Insurance providers may deny claims if a data breach stems from an unsupported operating system. That means that a healthcare organization relying on Windows 10 could be left holding the bag for the staggering cost of ransomware payments, data recovery, lost revenue due to downtime and legal/compliance fees.

At a bare minimum, cybersecurity insurance premiums are bound to increase for healthcare organizations that are significantly behind in their transition to Windows 11.

Will Windows 11 Be More Secure?

Microsoft’s new operating system incorporates many security and privacy enhancements. Windows 11 will require organizations to use Trusted Platform Module (TPM) 2.0, a hardware-based security layer that allows encrypted credentials and tamper protection at the point of system startup.

Windows 11 will also incorporate a Diagnostic Data Viewer that lets an organization instantly see what data is being collected and how it’s deployed.

Attackers Are Ready To Pounce

When we reach mid-October, cybercriminals will be poised to strike Windows 10 users because Microsoft will no longer provide security patches for newly discovered vulnerabilities. Without those security updates, your organization becomes a prime target for malware and ransomware.

For most healthcare organizations, it’s simply not possible to make an instant upgrade to Windows 11. But you need to demonstrate due diligence by at least formalizing the process of transitioning to the new operating system. It’s important to start planning your upgrade immediately. Failure to do so will make you vulnerable — not just to cyberattacks, but to increased insurance premiums and possible compliance violations.