Windows XP® and Windows Server 2003® Pose Immediate HIPAA & Data Security Risks for Dental Practices
Are you using FastAttach® on a computer running the Windows XP operating system (OS)? Are your datacenters still running Windows Server 2003? If so, did you know that by continuing to run on a platform that’s been discontinued and no longer supported, you could be opening your business to potential HIPAA violations and other security issues? It is very important that customers and partners of NEA Powered by Vyne plan to migrate to a modern operating system such as Windows 7® or even better, Windows 10® and upgrade servers to at least Server 2008® R2 by 10/29/2017 or else risk losing FastAttach service.
Is Your Data Security at Risk?
Support for Windows XP ended April 8, 2014 which means that since that time, there have been no security updates for that operating system. The HIPAA Security Rule specifically requires that you protect patient information with system patches and updates, which do not exist for Windows XP. Although simply having a Windows XP computer on your network does not equate a HIPAA violation, healthcare organizations must consider any known vulnerabilities – notably whether patches are available for security threats and whether the manufacturer still supports the OS – in their risk analysis.
Last year, Office of Civil Rights (OCR) director Jocelyn Samuels was quoted as saying, “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to e-PHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” Reviews and risk assessments should outline a plan to minimize risk by migrating away from Windows XP because it’s not sustainable to continue using that operating system indefinitely.
Overall system security is at risk by using outdated Windows XP computers on your network. With data breaches and hacks becoming almost daily news, you owe it to your practice to make sure that your business is up-to-date with software and hardware that minimizes your risk of security breaches. According to Sergio Galindo of computer security firm GFI Software in an interview with Healthcare IT News, “For those healthcare providers that fall under HIPAA, having a Windows XP machine as part of your business practice may put your compliance at risk.” Computers running the outdated OS still work, of course, “but with greater and greater risk,” said Galindo. “It is highly likely that an unprotected system will be impacted by a virus, worm or malware.”
Can You Afford Not to Upgrade from Server 2003?
Businesses still running Windows Server 2003 also need to consider a migration strategy. Microsoft will no longer issue security updates for any version of Windows Server 2003. TechRadar called the Windows Server 2003 End-of-Life the “biggest security threat of 2015”: the discontinuation of security updates and patches that could leave businesses exposed to a high number of vulnerabilities. If you are still running Windows Server 2003 in your datacenter, you need to take steps now to plan and execute a migration strategy to protect your infrastructure.
According to IT World, for companies that have not already migrated their servers away from Server 2003, “it falls on them to protect and harden their servers, especially if they are in a heavily regulated sector governed by rules like SOX, HIPAA, PCI, NERC and others. Then they face even greater challenges, because they will be on the hook for security breaches and data losses, and the government is likely to take a dim view of a company that didn’t upgrade an obsolete server operating system because it couldn’t afford it.”
The Bottom Line…
In an effort to maintain compliance and compatibility, NEA urges clients and partners using the aforementioned outdated software systems to migrate to currently supported systems sooner rather than later. We will no longer support these outdated systems as of 10/29/17 and clients will lose FastAttach functionality if they have not migrated to other operating systems/server platforms. In its commitment to ongoing security and compliance, NEA will continue to monitor the industry best practices as set forth by HITRUST and NIST, thus raising minimum requirements over time. Healthcare businesses that continue to use older computer systems will become a growing target for identity theft and HIPAA violations. Consider this…large companies like Anthem, Target and Home Depot survived their massive data breaches, but as a smaller company, could you?
Industry Rule Information