Windows Server 2003 – Upcoming HIPAA Security Concern

LCP_SecurityHealthcare security breaches have, in recent years, resulted in costly penalties to covered entities. Data security threats that can lead to these breaches originate from many sources. A new source will be born on July 14, 2015.

As of July 14, 2015 Microsoft will end support for the Windows Server 2003 operating system. Microsoft and security experts are cautioning that Windows Server 2003 users will face increased security risks as a result of this change, largely due to the lack of new security updates. Windows Server 2003 will be significantly more susceptible to attacks as criminals will have free reign to exploit vulnerabilities in the operating system without response from Microsoft in the form of security updates or technical content updates.

As in the past, users who handle electronic personal health information (ePHI) face a greater risk than others. A single personal health record is now worth more on the black market than a credit card number, social security number, and date-of-birth combined.

With strict enforcement of the HIPAA and HITECH Acts, and increased computer hacker interest in ePHI, it is increasingly necessary for covered entities to be confident in their ability to secure the data from threats. Microsoft’s decision to end support for Windows Server 2003 will make those Windows 2003 users handling ePHI an even greater target for criminals attempting to exploit the operating system’s potential new, unprecedented vulnerabilities.

LaSalle Consulting Partners, Inc. recommends that Fund administrators upgrade or replace any existing Windows Server 2003 devices that have access to ePHI prior to July 14 in order to avoid exposure to potential security threats inherent to Windows Server 2003.