OCR Alert: Windows 7 a Growing Risk for Cyberattacks

August 13, 2020
OCR-Alert-Windows-7-Blog

Have you updated your Microsoft Windows version recently? If your answer is no, then you might be at a greater risk of experiencing a cyberattack. The Office for Civil Rights (OCR) in partnership with the FBI sent out an alert just this morning regarding the increase in cyberthreats to outdated computer networks, specifically the Windows 7 operating system (OS). 

Windows 7 went end of life (meaning it is no longer supported or patched by Microsoft) in January of this year. Because it is no longer monitored or supported, the OS is missing the necessary security updates to continuously protect against hackers. Utilizing the outdated system dramatically increases the risk of cyberattackers accessing your computer systems – including the sensitive patient data they house. 

In their alert, the OCR expands on the various vulnerabilities that come from failing to safeguard your practice’s computer network by continuing to use Windows 7, including that:

  • As of last May, 71% of healthcare organizations were still using the Windows 7 operating system. 
  • The healthcare industry experienced a similar rise in exposed health records after the Windows XP version reached end of life in 2014.
  • The Windows 7 system has already been a target for ransomware attacks, including a 2017 hack that affected a multitude of Windows 7 operating systems. This means Windows 7 has already been shown to be a vulnerable and easy target for hackers.

Other factors that increase the current risk include the shift to working remotely and the less secure network connections typically used at home. It is highly recommended to upgrade any outdated computer systems as soon as possible to reduce risk. In addition to updating your operating system, ensure your anti-virus and firewalls are all up to date to best protect your devices from outside threats. 

While updating core operating software may mean additional costs and resources, the OCR emphasized the importance of following their recommendation in their alert, stating that, “these challenges do not outweigh the loss of intellectual property and threats to an organization.” While HIPAA does not specify a required operating system, meeting required technical safeguards does include keeping your systems secure and as protected as reasonably possible from cyber threats. In this case, that means having an active OS that is still receiving critical security updates. We highly recommend protecting your critical patient information and upgrading any systems necessary as soon as possible.