This is the date Microsoft will end general support, including patching, for the desktop edition of its Windows 10 Operating System (OS) which includes multiple versions: Home, Enterprise, Education, IoT Enterprise, and Enterprise Multi-session. While this date seems too far into the future to be of concern today, it is not. The reason is that the Windows 10 OS is widely used in workstations, laptops, and even medical devices; continuing to run this OS on your hospital network after that date results in increased risk and limited operational continuity.
Devices running an unsupported OS present a significant and growing security risk due to the inability to:
Patch future OS vulnerabilities publicly shared by threat actors.
Receive patches for OS specific third-party software vulnerabilities publicly shared by threat actors because software vendors typically stop patching outdated versions (i.e., Adobe, Java).
Comply with HIPAA as the OS will no longer protect against reasonably anticipated threats and hazards, or enable procedures to guard against, detect and report malicious software.
Hospitals are urged to establish a plan to address this looming risk, and to examine existing policies and budgetary plans. Addressing obsolete technology in an administrative workstation or laptop is straightforward and typically handled by the Information Technology Department. However, addressing the risk in the medical device fleet is more challenging and may take multiple years to complete. To get started, it can be helpful to calculate medical device fleet metrics, both current and projected October 2025, such as:
Distribution of fleet with an unsupported OS, to determine the breadth of the problem.
Device aging with Windows 10 OS, to investigate if newer device contracts include free upgrades.
Device count by clinical modality, to engage practice areas in developing a strategy.
Device impact on patient safety, to use in developing strategy and prioritizing plan execution.
Device count by manufacturer, to seek enhanced collaboration based on business relationship.
Using fleet metrics, hospital leadership should approve a set of actions to be evaluated in partnership with the device manufacturer, which can include:
Request a free upgrade from the manufacturer if included in the contract.
Purchase extended support through January 2027.
Activate a software firewall if it exists on the device.
Install an appropriate, low-cost physical firewall.
Remove the device from the network if connection is only used for remote support.
Replace the device if a supported version with similar functionality is available.
Collaborate with key manufacturers to help identify achievable compensating controls.
If your hospital has not started planning for Windows 10 OS reaching end of support, it is important to begin planning now and engage multiple internal stakeholders (e.g., Security, Information Technology, Healthcare Technology Management, and Clinical Staff).
The MedSec team can help you formulate a plan to meet your hospital’s needs. Email us at firstname.lastname@example.org to learn more.
 https://learn.microsoft.com/en-us/windows/release-health/release-information, October 18, 2023  https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164, October 18, 2023