25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Upgrade Internet Explorer to Remain HIPAA Compliant

Posted By on Jan 11, 2016

On Wednesday January 12, 2016., Microsoft will be stopping support and security updates for Internet Explorer 8, 9 and 10. All users of Internet Explorer must therefore upgrade to Internet Explorer 11, or make the switch over to Microsoft Edge in order to continue receiving support, security updates, and patches.

18 months ago, Microsoft announced that its internet browser updates for IE8, IE9, and IE10 would be stopping. Any user who has not yet upgraded now has just two days left before their browser officially becomes obsolete.

Whenever software is discontinued and support and security patches are stopped, that software becomes a security risk. Vulnerabilities are discovered that are not patched, and hackers are likely to be able to take advantage.

Microsoft recently issued a warning saying continued use of IE 10, 9 and 8 would leave individuals “at risk of viruses and other malicious software that exploit security flaws and bugs in the browsers.”

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Figures from Netmarketshare.com and Duo Security put the number of Internet Explorer users with IE10 and below installed at between 20% and 36%.

Users of IE 8,9, and 10 should therefore upgrade promptly. They are unlikely to suffer a drive-by malware attack if they do not upgrade their browser this week. However, over time, the security risk will increase. It would be inadvisable to delay upgrading the browser for long. That said, from Wednesday January 12, 2016., any employee of a HIPAA-covered entity that continues to use Internet Explorer 10 or below, will be in violation of HIPAA Rules.

Use of Internet Explorer 10 and Below Will be a Violation of HIPAA Rules

 

The HIPAA Security Rule requires covered entities to conduct a risk assessment to identify potential security vulnerabilities that could place the confidentiality and integrity of ePHi at risk. A risk assessment should identify out-of-date software as being a security risk. Additionally, under Standard §164.308(a)(1)(i) covered entities are required to “implement procedures to prevent security incidents including software updates and patch management.”

Security patches will continue to be issued for the latest version of IE. Security vulnerabilities discovered by Microsoft to affect IE11 will be patched, but many of those vulnerabilities will also exist in IE10 and below.

All a hacker would be required to do to take advantage of this, would be to wait until the next IE11 patch is released and look at the vulnerabilities that have been addressed. Those aspects of the software could potentially be exploited in earlier versions of the browser. Since there is a real risk of these security vulnerabilities being exploited and used to download malware to healthcare computers running earlier versions of Internet Explorer, an upgrade to either IE11 or Microsoft Edge would be required to remain compliant with HIPAA.

HIPAA-Covered Entities Have Been Fined for Failing to Install Software Patches/Upgrades

 

Covered entities that fail to update software, install patches in a timely manner, and those who do not have a patch management policy in place could well face sanctions from Office for Civil Rights, as Anchorage Community Mental Health Services discovered. OCR fined ACMHS $150,000 in 2014 for a data breach suffered as a result of malware being installed on its computer network.

ACMHS had been running outdated software and had failed to install security patches. Installation of those patches would have prevented the malware infection and would have protected the privacy of 2,743 individuals.

Addressing security risks such as upgrading and patching software is a basic security measure. According to a statement issued by Jocelyn Samuels, Director of OCR, on announcement of the HIPAA settlement, [HIPAA-Compliance] includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist