Healthcare network security

Windows 7 EoL Has Arrived: Now What?

2 min read

Although Microsoft officially ended mainstream support for Windows 7 back in January 2015, the company continued to release security patches and offer updates for an additional five years. As of January 14th 2020, that’s no longer the case.

As it happens, January 14th 2020 is also the end of life date set by Microsoft for Windows Server 2008 and Windows Server 2008 R2. As a result, devices running these operating systems will no longer receive vulnerability patches, bug fixes, feature upgrades, or technical assistance.

For hospitals, that's a very big deal. In fact, CyberMDX data shows that over 20% of a typical hospital’s connected assets and 5% of their connected medical devices run Windows 7. Over time, the risks associated with continuing to run Windows 7 and Windows Server 2008/2008 R2 will only grow as new vulnerabilities are discovered and hackers will develop new attack methods.

Best Laid Plans

The best course of action for hospitals is to upgrade their Windows 7 and Windows Server 2008/2008 R2 devices to Windows 10 and Windows Server 2019, respectively. For managed devices, once new licensing is bought and paid for, upgrading can be done with relative ease using Windows Server Update Service (WSUS)

Of course, you'll first need to make sure that your CMMS or inventory management solution is up-to-date, fully reflecting your entire device fleet and its software components.

Mice and Men

Some devices may face a somewhat trickier predicament when it comes to upgrading out of Windows 7 or Windows Server 2008 (R2). Upgrading is not always a simple and straightforward process and there can be consequential interdependencies at play. In situations where an upgrade seems “doable” but there is some cause for concern, authorized hospital managers are recommended to consult with the relevant device vendor.  

For other medical and IoT devices, OS upgrades will require a full device upgrade cycle — affecting the motherboard, the processor, medical applications, etc. For these devices, an upgrade might not be operationally possible — at least not immediately. 

Similarly, some medical devices — particularly old devices like MRI machines (which are normally more than 11 years old) — may not be upgrade-able . This may be because the machine itself has reached its official end of product life and the vendor will no longer update it, or because its core functionality is somehow incompatible with newer operating systems.

These issues — combined with the challenges of proper inventory management, budgetary restrictions, and limited available man-hours — can make it difficult to comprehensively oversee upgrades across large connected healthcare facilities. If, in such cases, you continue to operate your devices with deprecated operating systems, you will need to take aggressive steps to mitigate the risk.

Consider taking the following actions:

  • Wherever operationally possible, de-network Windows 7 and Windows Server 2008 (R2) devices that cannot be upgraded.
  • If de-networking is not an option, wherever operationally possible, place Windows 7 and Windows Server 2008 (R2) devices in their own VLANs, subject to strict security policies. (You may, for example, restrict traffic to only allow packets in medical protocols or only to specific devices.)
  • Make sure that you have your access controls configured as an effective bulwark against known vulnerabilities.
  • Continuously monitor for new vulnerabilities that would affect your deprecated devices and take protective measures accordingly.


Oft Awry, Windows 7 Refuses to Die

At least for now, businesses that are willing, also have the option to pay Microsoft for extended security updates (ESU) for their Windows 7 and Windows Server 2008/2008 R2 devices.

For organizations with Windows 7 Enterprise, ESU costs $25 per device in the first year, $50 per device in the second year, and $100 per device in the third.

For organizations with Windows 7 Pro, ESU costs $50 per device in the first year, $100 per device in the second, and $200 per device in the third.

These extended support packages can be purchased via the Volume Licensing Service Center or from qualified Cloud Solution Providers.

Smartly, Microsoft is using the end of some of its products to push for the adoption of others. For organizations using Windows Server 2008 or Windows Server 2008 R2, the end of the support road is as good a reason as any to consider migrating to the cloud, as Microsoft is offering three years of free ESU to customers who move to Azure.  

Grief and Pain for Promised Joy

It must be emphasized that extended support is not a solution, but a band-aid. It’s unclear for how long the option will remain viable and how high its lifetime costs may run.

If you are unable to upgrade your devices to Windows 10, we strongly encourage you to run a cost-benefit analysis, weighing post-EoL Windows 7 maintenance against outright device replacement.

The analysis should cover a period no less than three years and include the estimated ESU costs, costs associated with the increased potential of a cyber event, and the time costs incurred on account of added configuration, monitoring, and management requirements. If replacement would confer improved device performance, accuracy, or operational efficiency, that should be factored in as well.

The bottom line is this: you face a difficult transition ahead, but the absolute worst thing you can do is bury your head in the sand and ignore it.

No matter the device or context, there is an effective way to limit your risk in the face of the Windows 7 EoL. You just need to take stock of your technology and circumstances and map out a remediation logic tree for each device type.