Executive Summary:
Microsoft has announced the end of support for Windows Server 2003 after July 14, 2015. After this date, Microsoft will no longer issue security patches or offer technical support for the Windows Server 2003 product.
Windows Server 2003’s end of life has far-reaching effects as it is widely used in the healthcare industry. Healthcare organizations that have not updated to a supported operating system may risk being considered non-compliant with HIPAA requirements per the U.S. Department of Health & Human Services’ Office for Civil Rights. They are also at an increased risk for security incidents.
Healthcare records are an attractive target for cyber attackers, as they are 10 times more valuable than credit card data and much harder for people to replace. In 2014, healthcare organizations suffered the highest number of data breaches of any industry—followed by retail, education and finance—resulting in more than seven million identities exposed.
Impact:
- Computer systems running with Windows Server 2003 are vulnerable to malicious attacks from existing and undiscovered vulnerabilities, which could result in data breaches and other security threats.
- Continuing the usage of Windows Server 2003 in enterprise systems may cause the loss of: data integrity, confidentiality, availability, system resources, and business assets.
- Compatibility issues may arise as new software and hardware manufacturers cease building applications suited for Windows server 2003.
- Unsupported and unpatched software will meet neither the Risk and Analysis Management nor Technical Controls HIPAA requirements.
Recommended actions:
- Symantec recommends upgrading all Windows server 2003 systems to a current, supported operating system before July 14, 2015. Microsoft is currently offering migration assistance on its website.
References
- http://www.emrandhipaa.com/emr-and-hipaa/2015/06/16/windows-server-2003-support-ends-july-14-2015-no-longer-hipaa-compliant/
- http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003
- http://www.hhs.gov/ocr/civilrights/index.html
- http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
- https://know.elq.symantec.com/LP=1542
Contact Us:
Thank you for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at https://mss.symantec.com.
Global Client Services Team
Symantec Managed Security Services
MSS Portal: https://mss.symantec.com
MSS Blog: http://www.symantec.com/connect/symantec-blogs/cyber-security-services