On October 21, 2021, an end of support notice was sent to senior IS core leaders and application/service owners, asking that they cascade critical information to relevant members of their teams.
As of the end of August, there were 1,100 instances of Windows 2003 & Windows 2008 (non-R2) across our environment, with over 1,500 databases on SQL 2000, 2005 and 2008 (non-R2). This presents a tremendous security risk to Providence as there are no security patches provided by the OEM for these versions for known critical vulnerabilities. It also poses a significant supportability challenge with no vendor support and lack of modern features, coupled with very limited automation opportunities. While we have made great progress over the last year removing these legacy versions, we still have a sizeable footprint in production today.
Given the increasing risk and escalating cyberattacks on the healthcare segment, especially exploiting these legacy technologies with known vulnerabilities, we are ready to put a stake in the ground on our remaining highest-risk Windows Server and SQL versions.
Below is a list of remaining operating systems and SQL databases which pose highest security threat to the organization. Based on the number of instances remaining, a timeline prioritizes which of these must be decommissioned or upgraded. Investigations will continue between now and the dates below to identify missing application mappings and to sleep-test/decommission what cannot be identified.
Key dates
| Windows/SQL Version | 100% Mapped or Sleep Tested | Remediation Deadline | Servers Remaining |
| SQL 2000 | Aug. 2021 | Sept. 30, 2021 | DB 4 |
| WIN 2003 / SQL 2005 | Nov. 19, 2021 | Mar. 31, 2022 | OS 600 / DB 632 |
| WIN 2008 / SQL 2008 (non-R2) | Jan. 28, 2022 | Aug. 31, 2022 | OS 498 / DB 898 |
| WIN 2008 R2 / SQL 2008 R2 | Mar. 31, 2022 | Jan. 31, 2023 | OS 3,398 / DB 8,255 |
**Extended Security Update (ESU) licenses and monthly patches must be applied via CEO patch team.
Find your estate on our dashboard
The Server Health & Compliance Dashboard is a great place to get more details around your estate and security vulnerabilities.
Action required
- Servers must be upgraded or decommissioned prior to remediation deadlines above
- If an application cannot upgrade, it must have a clear exception plan for decom/upgrade approved by CEO VP + App VP in writing. (No approved plan by above date will result in servers getting turned off.)
- Exceptions must be requested by engaging a Cloud Engineering & Operations PM (below) which will be reviewed by our engagement team and relevant VPs
- Windows Server: Darrell Butler
- SQL Database: Balaji Yelugoti
- Escalations: Kyle Schadt
Support changes post-deadline
- Orphaned servers without any application mapping will be decommissioned prior to remediation deadlines above.
- Application cannot be classified as a Tier-1 app in ServiceNow. (App tier/recovery rank to be updated.)
- Forced install of latest Service Pack and all relevant patches will require downtime (Win 2003 = SP2, Win 2008 = SP2, SQL 2005 = SP4, SQL 2008 = SP4).
- Cannot live on DMZ or restricted zones (internet-facing).
- No new installs of any new unsupported OS/DB versions.
How to engage CE&O for help
Our teams are open for discussion to help you through this effort. Please reach out to the PM team (contacts below) for guidance or create a ServiceNow request to address a server or DB you own.
- To migrate to supported WIN / DBs on Azure
- To upgrade to supported WIN /DBs on-prem
- Apply latest Service Pack and subsequent patches
- Archive critical/PHI data for data retention purposes
Contacts
- PM team: For questions/planning/exceptions: Darrell Butler (Windows) & Balaji Yelugoti (SQL)
- Windows team: Lee Kriebaum (on-premise),David Hatch (Azure)
- SQL team: Jeff Marsh (on-premise), Minglin Chang (Azure)
- Application migration team: Bryan De Boer, KJ Anderson