For the medical practice, keeping current with software releases is not only a good idea, but it’s also the law. Under the HIPAA Security Rule, using any unsupported software increases the risk of a breach of protected health information (PHI) and is a violation.
For small to mid-sized practices, this presents a challenge because most practices don’t have a good idea of what software they have installed on their computers. Your risk assessment should uncover all software but the hard part is finding what is and what is not supported by vendors. This may entail contacting vendors to find out. Because of this, keeping on top of this isn’t an easy task for most practices.
However, as we will see later, this can be a very costly mistake if not addressed properly. Using any software product that is no longer supported by the manufacturer is a violation of the HIPAA Security Rule.
Don’t take our word for it…
The HIPAA Security Rule (45 C.F.R. § 164.308 (a)(5)(ii)(B) requires that any software that is used by Covered Entities or Business Associates must be kept current and up to date with updates from the software vendor (patched). If a vendor no longer supports a software program, it cannot be used. This is because of any vulnerabilities in the software that the manufacturer will not be patching. Having open holes in your cyber defenses puts patient data at risk. The best way to address this is to update to a version of the software that is supported. Products like operating systems, are usually supported for many years giving every practice time to update and budget.
A real-world case
In 2012, Anchorage Community Mental Health Services (ACMHS), a five-facility mental health organization, settled with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and paid $150,000 in penalties. This was due to a malware attack on the practice that impacted 2,743 patients.
In the HHS-OCR press release, OCR Director Jocelyn Samuels said:
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
This shows how seriously HHS-OCR takes breaches that occur from using unsupported software. While a $150,000 fine is on the smaller side of HIPAA fines, I am sure that all practices wouldn’t want to pay this out when fixing the issue would likely have been far less expensive.
You can read the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) bulletin here.
We also did a case study on this incident here on our site that you can read here.
What exactly is unsupported software?
Software manufacturers will eventually decide a date that they will no longer offer updates or bug fixes to a software product. As technology improves, continuing to support some products becomes impossible. Imagine trying to use a Netscape browser from 1999 to surf the modern Internet. Netscape doesn’t have the necessary capabilities to view the overwhelming majority of today’s internet.
In addition, because most companies have limited resources to devote to software development, those teams need to be focused on new software and new features. To help with this process, software developers will declare that they will no longer produce any bug fixes or add any new features to a given product. This means that the product is no longer supported and is end-of-life. Most developers will usually give ample notice to users about this so that the end-user has enough time to upgrade or change to a different product.
For the purposes of security, the reason unsupported software is so dangerous is that if any security holes are later found in the product, they will not be fixed. Attackers and researchers are always on the look for bugs that lead to system compromise in many software products, especially if the product is widely used.
Imagine if you had a car that the brake pads were no longer made for it. You may try to buy up all the remaining pads you could find, but at some point, there will no longer be any available. At that point, your car is too dangerous to drive – both to you and to other drivers.
Computers with unpatched vulnerabilities are the same. If a vulnerability is found in a software application and it will never be fixed, anyone who is using that product is in danger. But this danger isn’t just to themselves, but also to their customers or patients. In the case of ACMHS above, their patient’s personal health records were exposed because the practice was using unpatched and unsupported software.
Microsoft Windows End-of-Life Dates
The most common application that all of us use every day is the computer’s operating system. For most users, this is Microsoft Windows. Periodically, Microsoft decides to stop supporting various versions of Windows. This is for both Windows desktops and servers. Once this happens, those products become insecure and for the medical practice, a HIPAA violation.
Since operating systems are something many end users only update when they purchase a new computer or server, these operating systems are often forgotten. This is especially true with servers. I have been in many practices that are still running Windows 2003 and 2008 servers. Their attitude is that the server is working there is no need to replace it. From a purely financial point of view, this is understandable. But this is what drives cybersecurity techs crazy. We are acutely aware of the vulnerabilities that exist in these systems and the danger the practices are in. A breach that utilizes any vulnerabilities in these apps will become even more expensive when HHS-OCR calculates its fines.
For operating systems, each practice needs to have a plan in place to upgrade any devices that are using unsupported software. Your risk assessment should have uncovered these so that you can plan.
Here is a list of the most common Windows and Windows server operating systems and their End-of-life dates. If you would like a more comprehensive list, please visit – Endoflife
|Windows 7 (All Versions)||January 14, 2020|
|Windows 8||January 16, 2016|
|Windows 8.1||January 10, 2023|
|Windows Server 2003||July 14, 2015|
|Windows Server 2008||January 10, 2023|
|Windows Server 2008 R2||January 10, 2023|
|Windows Server 2012||October 13, 2026|