5 Practical Tips for Year-End IT Budgeting and Procurement

As year-end approaches, many of our customers take a critical look at their budget and budget-planning processes. That can involve 1) looking at the current year’s budget for opportunities to make potential procurements in order to get those expenses in before the year-end, as well as 2) setting the budget for the coming year.

Here are a few things to consider as you set priorities for new investments and upgrades. Don’t overlook changes that can lower your operating costs.

Items for Consideration

  1. License renewals. This is perhaps the most crucial item, since if you allow licenses to lapse, you lose the use of critical software and systems. License considerations are especially important this year, with Windows 7 end-of-life coming January 14, 2020. We covered this topic in an earlier post, especially the compliance implications. Include Windows 10 upgrades in your budgeting plans. Look at the age of your Windows 7-licensed workstations, and decide whether it makes more economic sense to replace them entirely with new Windows 10-licensed systems.
  2. Aging equipment. There’s a tendency to wait until something fails before you replace it. But if a system is near or past the end of the warranty period, it might be better to replace it proactively and avoid the costs and inconveniences of downtime while you wait for replacement of a broken machine.
  3. Network refresh. Take a closer look at your networking equipment, such as switches, routers and wireless access points. If they’re older, possible failure is a concern, but you also need to determine whether they can keep up with current network standards and expectations. Would a faster or more-capable switch improve performance or manageability? Would upgrading your older wireless access points or adding new ones improve network coverage or get rid of dead spots?
  4. Security. You can never be too secure, but there are a few additions that will improve your security posture immensely. One is free: enforcing a password policy that requires strong, regularly changed passwords. Another that is inexpensive or free is implementing multi-factor authentication (MFA) anytime a user logs on for the first time, or from a different machine or remote location. There are third-party solutions, or you can use the MFA capability built into Office 365.
  5. Service providers. Take a look at your monthly fees paid to service providers, and consider whether a different solution could give you a lower price, better performance, or new features. Feature-rich voice-over-IP systems have much to recommend them over traditional telephone services, and are generally less expensive. The same is true of replacing an older Internet connection with a vendor who delivers over fiber. If you have a large number of printers, there are printer management services that can save you money on consumables by controlling the use of color toner and ink, and curbing unnecessary printing.

Planning Proactively

At FIT Solutions, we help our clients look at the big picture of their technology, project future needs and plan proactively. One of the services we offer is the development of a Technology Business Plan that considers many of the areas above and more. It includes a Technology Infrastructure Roadmap that looks at short-, near- and long-term needs on a quarter-by-quarter basis so that you can budget effectively, accurately and proactively.

This holistic view will guide you to a more stable infrastructure, tighter security and increased performance while serving as a guideline for prioritizing and decision-making. If you’d like to get started, call us at (888) 339-5694.

Windows 7 End-of-Life (EOL): How to Maintain HIPAA Compliance

You may soon be facing a HIPAA compliance headache on the workstations in your healthcare facility. Microsoft support for Windows 7 and Windows Server 2008 ends on January 14, 2020. 

No more security patches will be issued after that date. This puts those operating systems at odds with the HIPAA administrative safeguards, which include the specification for “protection from malicious software,” specifically “procedures for guarding against, detecting, and reporting malicious software.”

The end of support means that workstations running those operating systems will be unpatched against new exploits, leaving them highly vulnerable, and therefore, out of HIPAA compliance.

If you are still running those older operating systems, you’re not alone. Many companies still have Windows 2008 servers and Windows 7 workstations in their environments. While these operating systems are ten years old and newer systems are certainly better, organizations keep using them. They are very stable and continue to do their jobs well. But the longer you hang onto them, the greater the risk to your organization.

First, let’s talk about the risks, and then how to alleviate them without having to purchase all-new systems at once.

Lessons from Past Compliance Audits

After a data breach occurs, history shows that regulators conduct a thorough audit of the affected organization’s entire environment. They look at everything. Although the breach was caused by an employee walking out with a thumb drive that was lost or stolen, every other instance of non-compliance that the auditors uncover is subject to a fine, even if it had nothing to do with the breach. Organizations that have been found using Windows products that were past their end-of-life — such as Windows XP — have been fined for that in the past. Undoubtedly, Windows 7 and Server 2008 will be no exception.

Considering the Alternatives

Under the language of the HIPAA rule, specifications are listed as either required or addressable. “Protection from malicious software” is an addressable specification. That gives organizations a bit of wiggle room. Complying with an addressable specification involves evaluating the risk, considering the measures to mitigate it, coming up with a reasonable alternative that is equivalent, and documenting it. (That’s the short version; here’s the official source on how to meet an addressable specification.)

Let’s say you find it impossible or at least extremely cost-prohibitive to replace all of your out-of-compliance operating systems by January 14. You could address the HIPAA specification by updating a set number of systems every month between now and the end of 2020, until all have been updated. In the meantime, you implement an Endpoint Detection and Response (EDR) monitoring system to keep an eye on the unpatchable systems, as well as use encryption on the systems that hold personal health information (PHI).

Hopefully, you have already performed this sort of analysis across all of the HIPAA specifications as part of your overall compliance effort. HIPAA requires you to perform a risk analysis, have a risk management plan, and document them both. Those are the first documents an examiner will want to see.

At FIT Solutions, we can advise you on all of the aspects of IT that impact your ability to comply with HIPAA. That includes helping you with your risk management and risk assessment plans and documentation, as well as assisting with your Windows 7 and Windows Server 2008 end-of-life planning.

Call us today at 888-339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!