It’s no secret that #Windows Server 2008 and Windows Server 2008 R2 are rapidly approaching the end of their support lifecycle. As of Jan. 14, 2020, additional free on-premises security updates, non-security updates, free support options, and online technical content updates will no longer be available. While most IT teams of organizations utilizing Windows Server 2008 and 2008 R2 know this date is looming, they may not have made this upgrade yet. Here are some compelling points that might assist in communicating the importance of addressing the Windows Server 2008/R2 end of support issue: Cybersecurity is a big deal. Not upgrading to a supported server creates system vulnerabilities Since 2015, healthcare has topped all other industries as the most cyberattacked vertical. That year hackers seemed to realize that there are far greater rewards from stealing medical records and Social Security numbers than credit cards. The payoff was (and continues to be) thousands of dollars per individual set of health records Between 2009 and 2018, health records of almost 190 million people in the United States – roughly 59% of the population – were involved in a theft/exposure. From January, 2019 thru October, 2019, breaches surpassed the 38 million mark, which involves about 12% of the U.S. population in just a 10-month period Healthcare breaches (of 500 or more records) are becoming so common that they now are reported at a rate of more than one per day Remember WannaCry? This major cybersecurity attack in May 2017 infected more than 230,000 computer systems in 150 countries which resulted in about $4 billion in financial losses. There are groups who never recovered from that attack and others at risk who haven’t patched their systems against this ongoing vulnerability Not upgrading from Microsoft 2008 could result in HIPAA fines and it would be difficult to make the case of being unaware of the risks The civil penalty tier system for healthcare organizations is based on the extent to which the HIPAA covered entity was aware that HIPAA Rules were violated. The maximum civil penalty for knowingly violating HIPAA is $50,000 per violation up to a maximum of $1.5 million per violation category per year. While it is unlikely that failing to upgrade would result in individual fines, there are HIPAA fines that can be levied against individuals who knowingly violate HIPAA rules The Office for Civil Rights (OCR) clarified 45 C.F.R. 164.308, encouraging Covered Entities “to review systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” This guidance was a result of a breach investigation for a facility in Alaska which resulted in a $150,000 fine. OCR stated “the security incident was the direct result of the [Covered Entity] failing to identify and address basic risks, such as not regularly updating their IT resourced with available patches and running outdated, unsupported software” The General Data Protection Regulations (GDPR) in Europe is already allocating fines for organizations who do not comply with data protection laws According to Article 83 of the new data protection rules, regulators will adhere to a two-tiered structure for the administration of sanctions. The higher tier carries potential fines of up to $20 million, or 4% of global annual turnover (annual revenue), whichever is higher. The lower tier carries a maximum fine of $10 million, or 2% of annual turnover, whichever is higher While the potential of HIPAA fines is a real possibility, the bigger threat remains that a major cybersecurity incident could cripple or put an end to a healthcare provider. If your organization is still dependent on legacy EHR systems to meet retention requirements and provide legacy data access, Harmony Healthcare IT can help mitigate your risk. Our data archiving solution consolidates data stores, reduces out-of-production system maintenance costs, and complies with record retention mandates. Most of all, it provides increased security from cyberattacks, protecting both your organization and your patients. Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible. When you’re ready to get this item off your to-do list so you and your team can go into 2020 with an increased peace of mind, we’re here to help.