On October 14, Microsoft will officially cease support for the Windows 10 operating system, a significant milestone that poses challenges for many healthcare organizations. The transition to Windows 11 is not a straightforward task, particularly for those reliant on numerous legacy applications. As the deadline approaches, concerns mount that cybercriminals will exploit known vulnerabilities during this critical transition period.
For even the largest healthcare entities, migrating to Windows 11 is a complex endeavor that typically spans six to nine months. This process involves several stages: creating a new system image, rigorous testing against existing applications, re-imaging devices, training staff, and finally rolling out the new operating system. Each step demands careful consideration and resources.
To assist organizations during this transition, Microsoft will introduce an Extended Security Updates (ESU) program, available for up to three years post-Windows 10 end-of-service. This annual subscription offers essential patches but lacks new features or comprehensive support. However, many healthcare organizations face challenges in maintaining a Microsoft Enterprise Agreement (EA) due to financial constraints. The EA covers initial licenses and support, but ongoing maintenance costs can lead organizations to alternate between three years on the agreement and three years off, complicating their upgrade path.
Healthcare organizations often juggle between 150 to 300 applications, balancing cutting-edge technology with legacy systems that may not be compatible with the new operating environment. This reliance on outdated applications makes them prime targets for cybercriminals, especially as the end of support for Windows 10 draws near. The looming risk of a HIPAA violation adds urgency to the situation, as the Department of Health & Human Services (HHS) has yet to clarify when noncompliance will be enforced for those still using Windows 10.
The Impact On Cyber Insurance
As healthcare organizations navigate this transition, they must also consider the implications for cyber insurance. Many providers require detailed technology and security questionnaires as part of their cyber-risk policies. If a data breach occurs due to reliance on an unsupported operating system, claims may be denied, leaving organizations liable for substantial costs associated with ransomware, data recovery, lost revenue from downtime, and legal fees. Consequently, organizations lagging in their transition to Windows 11 can expect to see a rise in cybersecurity insurance premiums.
Will Windows 11 Be More Secure?
Windows 11 promises enhanced security and privacy features, including the requirement for Trusted Platform Module (TPM) 2.0. This hardware-based security layer facilitates encrypted credentials and tamper protection from the moment the system starts. Additionally, the new operating system will feature a Diagnostic Data Viewer, allowing organizations to monitor data collection and deployment in real time.
Attackers Are Ready To Pounce
As mid-October approaches, the threat landscape intensifies. Cybercriminals are poised to target Windows 10 users, knowing that security patches for newly identified vulnerabilities will no longer be available. For many healthcare organizations, an immediate upgrade to Windows 11 is not feasible. However, it is crucial to demonstrate due diligence by formalizing the transition process. Organizations must begin planning their upgrade without delay, as failure to act will not only expose them to cyberattacks but also lead to increased insurance premiums and potential compliance violations.
Jason Stewart serves as the Manager of vCISO Services at Fortified Health Security in Brentwood, Tennessee.
