Swallowing the Windows 2008 Elephant - Staying ahead of Security in 2020

We all expect Sophrona to meet the highest security standards in information technology. Our Patient Portal and Referral Portal require it. Our clients and partners depend on it.  For a company like ours, part of the cost of doing business is keeping up with HIPAA and Payment Card Industry Data Security Standard (PCI-DSS) requirements.

Yet, getting ready for 2020 was a big task even for us. Working through the sun setting of the Microsoft 2008 Windows operating system and various other server and workstation versions earlier this year was a challenge. Changing servers has ripple effects through applications, networks, etc. It is very difficult to make one change that doesn’t lead to others and then to others. 

Eating the elephant in small bites becomes difficult because you can never really finish your bite. 

It dawned on me that if Sophrona felt the strain of server migrations, how much more so for our ophthalmology practice clients, many of whom are small and with limited or no IT staffing. 

This has obviously been on the mind of many of our clients as the year end approaches and as confirmed recently in a spate of comments within American Society of Ophthalmic Administrators on message boards.

The elephant

The task before any business as the year end approaches is Microsoft’s sun setting of Windows 2008 servers and Windows 7 workstations. Earlier this year, Microsoft sunset SQL Server 2008 as well. Any medical practice wanting to maintain a secure environment in the new year needs to be on new servers in order to get required security patches. Merchants who take credit cards have the added burden of PCI compliance which demands that hardware receive regular security patches as new vulnerabilities are identified.

But how to eat the elephant?

Practices have generally been challenged along the classical axes of project management: time, scope, and resources. Practices who started early discovered that finding the right vendor or staff was a challenge. Others started late. Still others realized their budget wouldn’t allow for the full scope of the project.

For a boots on the ground perspective, I turned to Lesley DeLille, IT Director at Eye Surgeons Associates in Iowa. By ophthalmology standards, this is a fairly large practice with 22 doctors and many locations. Lesley is a self-admitted techy geek but also a good general manager with lots of experience. She understands setting priorities are essential in business, because you always have to work within constraints.

She offered these insights.

• Define the scope of the infrastructure that is affected, then set tiers to define priority.

For Eye Surgeons Associates, Tier 1 included all application and database servers that are used for the practice management system, electronic health records, and image management. All these servers had to be upgraded to Windows 2016 server OS.

Tier 2 machines were defined to included workstations running Windows 7 used in clinical workflow. Many of these were replaced with thin client systems running Remote Desktop Services from a terminal server. The devices were less expensive and allowed the practice to avoid purchasing Windows 10 workstations where not strictly needed. Some workstations required full systems so those were either replaced or upgraded.

Tier 3 machines were those that could not be upgraded (possibly because of legacy software or special testing devices), or not mission critical systems where staying on Windows 7 and accepting the risk that patching would not be available could be accepted short term. Where possible, access to the internet from Windows 7 or older systems was eliminated or restricted, access was segmented off from other devices, and users who could log into the older workstations were further reduced and restricted.

• Recognize your constraints: What is your budget? What in-house and external consulting staff can be brought in to work on the project? How do their other responsibilities affect their ability to contribute on this project?   How much money do you have for server and workstation replacements? How much time do you have to complete the work?

Lesley explained that she is lucky with an in-house small IT team; she is able to do things many other ophthalmology practices probably can’t – like having her team rebuild older Windows 7 machines, so they can be upgraded to run Windows 10. Adding additional memory and SSD hard drives made it possible keep some older machines a little longer, and still got them running Windows 10. She started early, but she didn’t have her dream budget either.

• Practice Risk Management: look at your project scope and determine the risks involved. What can go wrong and what do you do about the risks?

For each risk decide which you can eliminate outright, which you can mitigate in likelihood and/or impact, and finally which risk do you accept because the cost of mitigating the risk is greater than that of the risk happening.

• You may not be able to do it all, but have a plan.

Finally, recognize that having a plan will put you in a much better position to be effective with your limited resources. Things change and having a plan allows you to adapt more quickly.

To all our clients, we wish you a happy, healthy, prosperous, and IT secure 2020 New Year!