Nelson Gomes, President & CEO, PriorityOne Group, discusses Microsoft Windows Server 2003 and how to make sure your ASC isn't in danger.
Q: What is Microsoft Windows Server 2003?
Nelson Gomes: Windows Server 2003 is an operating system released by Microsoft in April 2003. In general, all variants of Windows Server 2003 have the ability to share files and printers; act as an application server to host practice management, EHR and other systems; host message queues; provide email services; authenticate users; act as an X.509 certificate server; provide LDAP directory services; serve streaming media and perform other server-oriented features.
Q: What are the dangers of ASCs continuing to use Windows Server 2003?
NG: On July 14, 2015, Windows Server 2003 reaches end of life (EOL). As of this date, Microsoft will no longer issue security updates for any version of Windows Server 2003, including the updated Windows Server 2003 R2.
What this essentially means is if a security vulnerability is identified in Windows Server 2003 after July 14, Microsoft will not provide any updates or patches to the operating system. New vulnerabilities will not be addressed, and any servers running Windows 2003 will become a massive security risk. In the event of technical issues, Microsoft will no longer provide Windows Server 2003-related technical support.
Note: This deadline is similar to the one we previously discussed concerning the Windows XP operating system and Office 2003 office suite. Microsoft ceased providing support for them last April.
Where this becomes problematic is if ASCs continue to use servers running Windows Server 2003 after July 14 to hosts practice management, EMR and other systems that store protected health information (PHI) and valuable business data that is of interest to cybercriminals. If a weakness in the system can be identified, Microsoft will not take steps to stop them from exploiting the security weakness. Due to these potential vulnerabilities, an ASC using Windows Server 2003 to store PHI after July 14 could effectively become non-compliant with HIPAA and the HITECH Act. More importantly, the servers running Windows 2003 become a major security risk
Q: Are there still dangers of using machines with Windows Server 2003 if they are not storing PHI and important financial information?
NG: Even if you have just one server with the Windows Server 2003 operating system on your network and all other servers are running a newer version of the windows server operating system, such as Windows Server 2008 or Windows Server 2012, the network remains vulnerable and all data remains at risk.
Q: What should an ASC do if it is still using machines with Windows Server 2003? What options are available?
NG: The first step is to assess your server environment. Identify and document the purpose of the Windows 2003 servers. Let your IT provider determine whether you can consolidate or decommission them from the environment. There are instances where this approach can apply, depending on the configuration and topology of your network and server environment.
If the server still serves an important role in your operations, you can potentially upgrade the operating system to a more current version, such as Windows Server 2012. You will need to determine whether the server's hardware meets the hardware requirements of running the newer operating system. If it is not, then the entire server may need to be replaced or may require a simple hardware upgrade
There are a few options to consider at this juncture. You can replace the server with a new server running a more current operating system. You can look into whether a virtual server is a viable option. In simple terms, a virtual server is an emulated server that runs on hardware. This hardware can run multiple different emulated servers on one physical server. For more information about virtual servers, speak with your IT team.
A third option that may be available is using the cloud in place of onsite servers. Many vendors can host their systems on the cloud, which will eliminate the need to purchase new hardware if the servers you are replacing were used to run those systems. This option also alleviates any future licensing and upgrade concerns since all the components are managed by the vendor.
Each facility is unique, and there is no one-size-fits-all solution. It is important to have a clear understanding of the environment and a detailed migration plan in place. It is also imperative to include all of the practice management, EHR and other mission critical vendors in the planning.
Q: How much time does it take to migrate from Windows Server 2003?
NG: The time it will take will depend upon many factors, including the number of servers with Windows Server 2003 and what those servers are used for. Upgrading a server that is used to share printers and files will be much faster than upgrading a server running mission-critical applications. In that case, you will need to work with the application vendors (e.g., practice management and EHR) to develop a transition plan.
For larger projects, you may be looking at a migration that could take many weeks to complete. While July is still a few months away, do not wait any longer to begin this process. Speak with your IT team about Windows Server 2003 and what your ASC needs to do before the deadline to protect your data and keep your organization in compliance with HIPAA.