Health System Cybersecurity in the Post-Windows 10 Era

Microsoft Windows 10 is set to enter “end of life” on October 14, 2025. This doesn’t apply to the versions of Windows 10 in the Long-Term Servicing Channel (LTSC), which will end in 2027 (Standard) and 2032 (Internet of Things), respectively. However, the baseline non-LTSC versions of Windows 10 will no longer receive security updates or patches after October 14.

For health systems, Windows 10 entering end of life presents a substantial cybersecurity challenge. Key technologies like mobile workstations, specialized all-in-one PCs, rugged tablets, and legacy medical equipment that operate on stripped-down Windows versions can all be affected by this OS entering the end-of-life phase. Health systems need to devise a coherent plan to account for the technologies that may be affected by Windows 10 no longer receiving security updates. 

This article will cover what Windows 10 entering end of end-of-life means for health systems worldwide and provide key best practices for how to adapt. 

What End of Life Means for Windows 10 

Windows 10 was released in July 2015 and has spread throughout the corporate world. Even with the announcement of its end of life, around 40% to 45% of Windows users continue to use the Windows 10 operating system. The operating system runs a variety of critical devices for health systems, such as administrative computers and the terminals connected to critical machinery like MRIs or CAT scans. 

The end-of-life period in software means that there will be no technical support, no patches, and no security updates for the affected products. For Windows 10 users, this means that after October 14, any vulnerabilities that have not yet been identified will no longer be resolved. This opens up health systems and other Windows 10 users to potential compromise because of an unresolved security vulnerability. 

Microsoft’s recommendation for how to resolve this issue is to upgrade to Windows 11, which will continue to receive security updates and patches for the foreseeable future. Until that also enters end of life when the next version of the Windows operating system is released. 

End-of-life does not mean that the computers using Windows 10 now will shut down. They will still function as normal, and any versions of Windows 10 will operate. Rather, the risk of attack becomes greater. Health systems need to address this new problem, but the question, as always, is what are the best practices for mitigating cyber risk for end-of-life operating systems? 

How Can Health Systems Mitigate Windows 10 End-of-Life Risk? 

Health systems can’t always immediately upgrade the operating systems of Windows machines. This is especially true given the scale of how many computers and terminals this might include throughout the health system. An update like this could impact many thousands of machines that can’t be easily taken out of service to have their operating systems updated without incurring significant costs or administrative headaches. 

Basic IoMT cybersecurity practices can be implemented here to assist in extending the life of these devices, all while ensuring cyber risk is mitigated. These include: 

• Inventorying the number of machines running Windows 10 now 
• Identifying the mission-critical machines 
• Determining which machines can accept Windows 11 based on technology requirements and upgrading them if possible 
• Applying monitoring and risk mitigation to computers where updates are not feasible at this time

Risk mitigation is a key facet of addressing Windows 10’s end of life for health systems. There are likely computers throughout the system architecture that can’t be easily updated to a new operating system. Whether that’s because they’re too old or they’re too critical to running a particular piece of equipment, the reality is that there needs to be a considered and slow plan to upgrading technology within the health system. 

Having the ability to implement risk mitigation tactics like macro-segmentation, targeted segmentation (explained below), or microsegmentation and behavior monitoring, as well as mapping communication pathways to understand risk, can help health systems manage the eventual upgrade process more effectively. 

Health systems commonly need to extend the life of their legacy machines – especially when these machines are otherwise functional and safe. By leveraging an IoMT risk mitigation platform, organizations can prevent an attacker from compromising endpoints using end-of-life operating systems. 

How Asimily Helps Extend the Use of End-of-Life Software

The Asimily platform is designed for health systems and healthcare providers seeking to mitigate the risk of Windows 10 end-of-life as well as secure crucial medical, operational technology, and Internet of Things devices. Asimily can also do this for IT devices. Asimily’s technology calculates the likely path of attackers entering the network and tracks the path through which they might gain a foothold in critical systems. Where possible, Asimily also provides guidance for risk remediation based on device configuration, manufacturer security capabilities, and overall impact to the customer’s specific environment. 

As part of this, Asimily offers up specific device recommendations or NAC rules that can be used to mitigate risks arising from end-of-life software, empowering users to continue using these devices. This ability to mitigate the risk of using end-of-life software saves a huge amount of time and material cost in replacing these devices. Depending on the machine, health systems may be able to continue using it indefinitely. 

This is a technology that Asimily has developed, known as Targeted Segmentation, which empowers teams with additional security measures to defend critical technologies and limit the spread of cyberattacks. Understanding and following the likely path of attack also provides users with the time and the foundation to take on additional segmentation or microsegmentation, which Asimily also supports with specific data within the platform. 

In addition to risk mitigation, the Asimily platform also empowers health systems with key capabilities like: 

• Comprehensive asset inventory – Building asset inventories for IoT and OT devices with a mix of passive and active monitoring. 
• Vulnerability prioritization – Using data from multiple sources, Asimily empowers security teams to resolve the top 1% of vulnerabilities first for the biggest impact. 
• Anomalous behavior monitoring – Tracking potential risks with behavioral monitoring to see if attackers have entered the network. 
• Configuration control and drift correction – Store preferred device configurations in a central location, as well as monitor for and correct configuration drift to reduce the risk of device changes adding security risks. 

With Asimily, health systems can secure their patient data and critical technologies to avoid downtime and focus on patient care. Asimily’s targeted segmentation and risk mitigation ensure that, even with Windows 10 entering end-of-life, health systems can focus on patient outcomes and limit their risk of attacks that interrupt operations. 

To learn more about Asimily, reach out for a demo today.