There could be a “pending doom” of HIPAA violations with Windows Server 2003 end of life. You can’t afford to ignore it.
June 30, 2015, Michael Morris, Senior Editor, iTelemedicine
At midnight on July 14, 2015, the chariot turned into a pumpkin for 11 million copies of Windows Server (WS) 2003, as Microsoft discontinued its support. The healthcare industry has, perhaps, been one of the slowest industries to respond to this looming deadline. As of July 15, any healthcare provider running even a single copy of WS 2003 will be out of compliance with HIPAA. The fines for noncompliance could be staggering and the actual costs of data breaches even greater.
And though Microsoft warned the industry about its end of service (EoS) for WS 2003 as early as April 2013, many organizations have yet to begin their migration away from the server platform. In fact, only 34 percent will have migrated their WS 2003 applications in time for the July deadline; just 29 percent are expected to complete migration by the end of 2015; and 27 percent still had no migration plan in place, according to a 2014 AppZero survey of Fortune 1000 companies. Worse yet, many health industry organizations and health IT professionals are unaware of the immense financial liability and security risks they potentially face if they continue running WS 2003 past the EoS date.
We recently spoke with Etienne Grima, CEO of CardioComm Solutions, in regards to the delayed migration and the looming hard deadline, which is wrought with so many problematic HIPAA issues for noncompliance.
“It’s very expensive, and it takes a lot of time,” Grima said. “You can imagine how difficult it is for a hospital to switch all of its desktops and servers. Now, medical software in a hospital — which typically runs on servers — will no longer be on a supported platform as of mid-July.”
He warned that it’s vital for healthcare facilities to have some sort of migration plan in place. If they don’t, they’ll be highly susceptible to system failure with no support, which is a recipe for disaster. “You also run the risk of being penalized,” Grima explained. “Penalties may be in the form of fines, or as in Canada, reimbursements tied to your systems being compliant.”
George Tierney, COO at SnapMD, added that there’s a cultural problem at large, as well, as the healthcare industry has been the slowest to adopt new technology in general. “If you are an IT manager, you are not incentivized to outsource,” Tierney said. “Large organizations get mired down in very specific technology managed by local IT forces, leaving them with few options.”
Tierney also noted that the financial industry addressed this issue years ago. “Rather than having large internal IT teams managing all their technology locally, they have moved to specialists. This includes data centers that have the sole purpose of securing that data and keeping those systems up to date,” he explained.
Record fines and vulnerability to data breaches are right around the corner for those who have not upgraded their operating systems and workstations. Along with software migration, much of the existing physical hardware will not be capable of running a newer WS version and will likely need to be upgraded as well. If you think that’s an expensive upgrade, consider the consequences: HIPAA noncompliance fines, data-breach vulnerability and threats to reimbursement.
RECORD FINES for HIPAA violations
HIPAA violation fines hit a record high in 2014. For example, a $4.8 million fine was levied against New York & Presbyterian Hospital (NYP) and Columbia University (CU) in May 2014, when a CU physician deactivated a personally owned computer server. This compromised a shared network firewall, making the electronic protected health information (ePHI) of 6,800 patients accessible via search engines. The penalty was issued because the organizations failed to conduct a risk analysis and did not implement the required safeguards to mitigate the risk to their ePHI.
This year, the Health and Human Services Office of Civil Rights (OCR) will also begin audits and enforcement of not only “covered entities,” but of their business associates and contractors as well. This includes audits of 350 covered entities and 50 business associates, including their subcontractors, which provide services for covered entities.
Early 2015 OCR audits were delayed as Phase 2 of its audit program was still under development. It is expected that the last half of 2015 will see an expedited rollout of Phase 2 audits. However, audits are just the first of several actions that the department may take to ensure compliance. OCR also responds to HIPAA violation complaints. From April 14, 2014 to May 31, 2015, the OCR received a total of 115,929 complaints, and corrective action was taken in 69 percent of those cases.
Although the costs for migration from WS 2003 are in some cases daunting, the potential costs of not upgrading, in fines alone, can be exponentially more. The bigger risk, however, is in data breaches themselves.
Data breach vulnerability
The true, total cost of data breaches can far exceed the fines issued by OCR for noncompliance. Individual data breaches were estimated to cost healthcare companies an average of $3.5 million, according to a report issued by the Ponemon Institute earlier this year. It estimated the total annual cost to the healthcare industry to be $5.6 billion, not including the cost to the reputations and future business of the organizations themselves.
Data breach vulnerability began July 15 with WS 2003 EoS, but the biggest threat will come in September and October when Microsoft releases the new security patches for WS 2008 and 2012. It is believed that hackers and cybercriminals will use those patches to figure out what holes Microsoft closed in its current products. They will then see if WS 2003 has the same holes. If so, they can use the knowledge obtained to get into any WS 2003 system after that.
In early 2015, the FBI issued a stark warning to the healthcare industry: Cybercriminals were likely to target the healthcare sector in the next year and that hospital networks and medical devices would see a dramatically increased risk of attack.
They attributed the raised threat to mandatory transition to electronic health records (EHR), lax security and increased black market value of medical records. Enter WS 2003 EoS — along with its inherent security issues — and you have a perfect storm of data vulnerability brewing this summer and beyond.
CardioComm Solutions is a software solutions provider for ambulatory ECG arrhythmia monitoring.
© Copyright 2015, iTelemedicine – News, Events & Industry Resources
reprint with permission from the