Last year, Microsoft reported data that showed that 23.8 million instances of its 2003 server operating system were running on 11.9 million physical servers worldwide—meaning that a whopping 39% of all installed Microsoft server operating systems are about to leave their organizations vulnerable and unsupported beginning in July.
This version of the Microsoft Server, the backbone that supports the vast majority of healthcare organizations' point-of-care IT, is getting kicked out of the nest—and according to one expert, some providers may not even know about it.
On July 14, Microsoft will stop providing support, automatic fixes, updates or technical assistance for its 2003 Microsoft Server. While there are a number of ways healthcare organizations can deal with this looming deadline—server upgrades or transitioning to a cloud-based service—the implications of inaction are dire. It opens providers up to significant data breach (and the resultant HIPAA violations), significant enough that the US Department of Homeland Security issued an alert last year saying that running unsupported Microsoft Server 2003 exposes an organization "to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss."
"Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003," the warning continued. "Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003."
It's a vitally-important meat-and-potatoes IT issue that either through procrastination or lack of education, many providers—particularly smaller practices—aren't addressing, says David Cristal, VP of Sales at Insight Enterprises. Cristal, who is at HIMSS "evangelizing" the need to upgrade, compares it to having a luxury car that's out of warranty:
"Windows Server 2003 will still work really well [after July 14]," Cristal told Healthcare Dive. "Assume it's a BMW. You may still enjoy the driving experience, but once it's out of warranty there's going to be angst: When's it going to break? The manufacturer is no longer protecting me. If something goes wrong, I'm on my own to fix it."
And unlike government agencies that will push back deadlines to help raise compliance rates, according to Cristal that July 14 date will be hard and fast:
"Microsoft is not kidding, they will not support it past that date," Cristal said. "That car warranty is done. If your alternator fails, you're on your own."
The good news for providers is that the fix is not terribly expensive, although there are degrees. The upgrade path from the 2003 technology is to 2008 or 2012. Those products are hardened and have been in the field for a while, Cristal says. The licensing fee for each server in a data center is in the three-figure range for the software, although if a physical server upgrade is required, there are also some services and training costs tacked on to the additional price of the infrastructure.
But even if the costs were higher, providers couldn't afford to just cross their fingers, Cristal says.
"The end of service for Microsoft Windows Server 2003 presents one of the most far-reaching risks to health data we have seen," Cristal said.