Upgrade Internet Explorer to Remain HIPAA Compliant

On Wednesday January 12, 2016., Microsoft will be stopping support and security updates for Internet Explorer 8, 9 and 10. All users of Internet Explorer must therefore upgrade to Internet Explorer 11, or make the switch over to Microsoft Edge in order to continue receiving support, security updates, and patches.

18 months ago, Microsoft announced that its internet browser updates for IE8, IE9, and IE10 would be stopping. Any user who has not yet upgraded now has just two days left before their browser officially becomes obsolete.

Whenever software is discontinued and support and security patches are stopped, that software becomes a security risk. Vulnerabilities are discovered that are not patched, and hackers are likely to be able to take advantage.

Microsoft recently issued a warning saying continued use of IE 10, 9 and 8 would leave individuals “at risk of viruses and other malicious software that exploit security flaws and bugs in the browsers.”

Figures from Netmarketshare.com and Duo Security put the number of Internet Explorer users with IE10 and below installed at between 20% and 36%.

Users of IE 8,9, and 10 should therefore upgrade promptly. They are unlikely to suffer a drive-by malware attack if they do not upgrade their browser this week. However, over time, the security risk will increase. It would be inadvisable to delay upgrading the browser for long. That said, from Wednesday January 12, 2016., any employee of a HIPAA-covered entity that continues to use Internet Explorer 10 or below, will be in violation of HIPAA Rules.

Use of Internet Explorer 10 and Below Will be a Violation of HIPAA Rules


The HIPAA Security Rule requires covered entities to conduct a risk assessment to identify potential security vulnerabilities that could place the confidentiality and integrity of ePHi at risk. A risk assessment should identify out-of-date software as being a security risk. Additionally, under Standard §164.308(a)(1)(i) covered entities are required to “implement procedures to prevent security incidents including software updates and patch management.”

Security patches will continue to be issued for the latest version of IE. Security vulnerabilities discovered by Microsoft to affect IE11 will be patched, but many of those vulnerabilities will also exist in IE10 and below.

All a hacker would be required to do to take advantage of this, would be to wait until the next IE11 patch is released and look at the vulnerabilities that have been addressed. Those aspects of the software could potentially be exploited in earlier versions of the browser. Since there is a real risk of these security vulnerabilities being exploited and used to download malware to healthcare computers running earlier versions of Internet Explorer, an upgrade to either IE11 or Microsoft Edge would be required to remain compliant with HIPAA.

HIPAA-Covered Entities Have Been Fined for Failing to Install Software Patches/Upgrades


Covered entities that fail to update software, install patches in a timely manner, and those who do not have a patch management policy in place could well face sanctions from Office for Civil Rights, as Anchorage Community Mental Health Services discovered. OCR fined ACMHS $150,000 in 2014 for a data breach suffered as a result of malware being installed on its computer network.

ACMHS had been running outdated software and had failed to install security patches. Installation of those patches would have prevented the malware infection and would have protected the privacy of 2,743 individuals.

Addressing security risks such as upgrading and patching software is a basic security measure. According to a statement issued by Jocelyn Samuels, Director of OCR, on announcement of the HIPAA settlement, [HIPAA-Compliance] includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.