Dedicated to providing the latest
HIPAA compliance news

HIPAA Compliance Deadline for Windows Server 2003 Upgrade Fast Approaches

Share this article on:

Microsoft has announced it will be stopping issuing patches and software updates for Windows Server 2003 on July 15, 2015. Any HIPAA-covered entity that is still running the outdated software on any of its servers after this date will be in violation of the HIPAA Security Rule, and could face a financial penalty from the Department of Health and Human Services’ Office for Civil Rights (OCR).

Microsoft advises users to upgrade to Windows Server 2012 R2 in order to maintain security standards and receive continued support, upgrades and patches.

Upgrades Must be Planned and Time is Fast Running Out

 

When Microsoft stopped issuing patches for Windows XP, all users had to be moved onto new operating systems; a task that required a considerable amount of planning, a considerable number of man hours and a not insignificant financial outlay. While a HIPAA-covered entity will have fewer servers than desktops/laptops, upgrading servers has potential to cause even more disruption, especially in large organizations operating a number of servers and an even higher number of virtual servers.

Server upgrades require the equipment to be taken out of action for a period of time, data needs to be migrated and access to data cannot be interrupted. With less than a month remaining until the deadline, any organization that has yet to make the change must start planning now. Time is fast running out.

Failure to Upgrade Windows Server 2003 Before July 15, 2015 is a HIPAA Violation

 

Once Microsoft pulls the plug on Windows Server 2003 and stops issuing security updates and patches the platform will be considered obsolete. Hackers will be able to work on the system and exploit security loopholes. Without patches of servers, any PHI stored on computer networks accessible through that server will be vulnerable to attack. This would be a violation of 45 CFR §164.308 (a) (1) (i)/(ii) of the Security Rule.

A failure to update software could be considered willful neglect of HIPAA Rules. That carries a fine of up to $1.5 million, per year that the software remained unpatched.

Office for Civil Rights Financial Penalties for Obsolete Software

 

The OCR is not averse to issuing financial penalties to HIPAA-covered entities that fail to install software patches and upgrades. Last year the agency fined Anchorage Community Mental Health Services $150,000 for a data breach that exposed the PHI of 2,700 individuals.

The resolution agreement stated that the penalty was issued for “failing to implement technical security measures to guard against unauthorized access to e-PHI” and for not ensuring that “information technology resources were both supported and regularly updated with available patches.”

Further information on HIPAA physical, administrative and technical safeguards can be found in our free HIPAA compliance guide.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On