HIPAA Penalty for Unpatched/Unsupported Software

Windows XP bombThe Office for Civil Rights (OCR) that enforces HIPAA announced a $ 150,000 penalty for a health clinic data breach that was caused by the lack of firewall protection combined with unpatched and unsupported software.

This validates what we have been saying all along—that Windows XP (and other unsupported software) is not only a risk to the security of electronic Protected Health Information (ePHI,) but also a HIPAA compliance violation because HIPAA requires security patches to protect data against malicious software.

The settlement found that Anchorage Community Mental Health Services, Inc. “failed to implement  technical security measures to guard against unauthorized access to e-PHI… by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," said OCR Director Jocelyn Samuels.  "This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."

Why You Can’t Use Windows XP, Microsoft Office 2003, or Microsoft Exchange Server 2003

The HIPAA Security Rule is all about implementing effective risk management to adequately and effectively protect ePHI. National Institute of Standards & Technology (NIST)

To comply with HIPAA, you must continue to review, correct or modify, and update security protections. Meaningful Use Office of the National Coordinator for Health Information Technology  

On April 8, 2014, Microsoft ended security patches and updates for Windows XP, Microsoft Office 2003, and Microsoft Exchange 2003, leaving networks with unsupported systems vulnerable to defenseless attacks.

Some have argued that continuing to use Windows XP is not a risk, or that it is too expensive to change all of their organization’s computers and medical devices that run on XP. At least one association gave its members bad advice that it was OK for them to continue using Windows XP as long as they documented the risks.

The OCR did not help the situation when it said early this year it does not specify what computer operating system is compliant, and that risks should be documented in a HIPAA Risk Analysis. Technically true, they failed to cite their own requirements that risks identified in a Risk Analysis must be addressed to secure patient data, and that data be protected against malicious software.

Unlike its vague guidance in the past-- The Security Rule does not specify minimum requirements for personal computer operating systems- the Anchorage fine proves that the OCR really does require supported software for HIPAA compliance. This sets a precedent that can be enforced by every state Attorney General, the Federal Trade Commission, state regulators, and even used as the basis for malpractice lawsuits. A breach caused by unsupported software could be VERY expensive.

“Do No Harm” Ethical Obligation & Smart Business

Medical organizations should understand that their ethical obligations to provide proper patient care extend to protecting the sensitive information in their patients’ medical records. If medical records are breached – lost or accessed without authorization— patient names, birth dates, Social Security numbers, driver’s license info, and medical histories can all be used for identity theft, fraud, or embarrassment that can hurt patients.

Breaches can be very costly for a medical organization. Penalties have ranged from $ 50,000 to   $ 4.8 million. Notification costs, legal fees, and lost revenue add up fast. HIPAA has been used as a Standard of Care in malpractice suits and in 2012 a jury awarded $ 1.4 million for malpractice when a patient’s information was released without authorization.

Continuing to use Windows XP and other unsupported software is ‘willful neglect’ of HIPAA, which carries the highest penalties.

Why would someone risk their business and their reputation, when it costs less to replace unsupported equipment than to pay the penalties, and it’s the right thing to do to protect patients?

Be Careful Where You Get Your HIPAA Advice

There is significant misunderstanding of HIPAA requirements. For example, in January 2014, the California Dental Association advised its members:

The HIPAA Security Rule does not specifically require the use of operating systems that are manufacturer-supported so continuing to use Windows XP after April 8 is not in itself a HIPAA violation… So when does using Windows XP past April 8 become a HIPAA violation? When a dentist’s written risk analysis does not address the risks associated with using an unsupported operating system. As the risks increase over time, dentists are obligated to keep the risk analysis updated.     

Just documenting serious risks and not fixing them? That advice was like telling people that they don’t have to brush their teeth; they can eat all the candy and drink all the soda they want; and they don’t have to go to the dentist… as long as they write down what they are doing. Would the dental association agree?

The CDA owes it to its members to update its guidance so dentists don’t get fined or sued because of its bad advice.

California leads the country with its state data breach laws that exceed HIPAA. The CDA should also inform its members that, on January 1, California will require anyone who loses data, or has it accessed by an unauthorized person, to pay for credit monitoring for all those affected, for one year. If credit monitoring costs $ 100 per person per year, and a California dentist has 10,000 medical records, preventing a data breach by replacing XP systems could save a dentist a million dollars, not even counting notification costs and other penalties.

Uncooperative Vendors

A medical device vendor recently told a medical practice that they would have to wait two years before their contract would allow the replacement of an XP-based medical device. The practice pointed out the HIPAA requirement for Covered Entities to report their Business Associates to the Office for Civil Rights if they believe the Business Associate is not compliant with HIPAA, won’t fix the problems, and won’t let them out of a contract.

Where a covered entity knows of a material breach or violation by the business associate of the (HIPAA Business Associate) contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html

Once the vendor knew that the practice might turn them in to be investigated, they immediately replaced the XP-based system with a new one.


A firewall connects your network to the Internet and has features to prevent threats such as unauthorized network intrusions (hacking) and malware from breaching patient information. When you subscribe to an Internet service they often will provide a router to connect you to their service. These devices typically are not firewalls and do not have the security features and update subscriptions necessary to protect your network from sophisticated and ever-changing threats.

You won’t find the word ‘firewall’ anywhere in HIPAA, but the $ 150,000 Anchorage Community Mental Health Services HIPAA penalty and a $ 400,000 penalty at Idaho State University have referred to the lack of network firewall protection.

Anyone who has to protect health information should replace their routers with business-class firewalls that offer intrusion prevention and other security features. It is also wise to work with an IT vendor who can monitor your firewalls to ensure they continue to protect you against expensive and embarrassing data breaches.

Windows Server 2003 – Prepare Now

On July 14, 2015, Microsoft Windows Server 2003 will lose its security patches and updates. This popular server operating system runs many file and Electronic Health Record servers, and most users have no idea what they connect to through their network. Check with your IT department or outsourced IT vendor to see if you are using Server 2003.

While replacing computers is an easy tactical decision, replacing your servers is more strategic. You need to work with your IT and software vendors to be sure your software will work with a new server operating system. You may want to consider moving from a local server in your office to one hosted in a data center, in the cloud, or switch to a cloud-based Software-as-a-Service (SaaS) EHR and file server solution. You may be able to convert capital expenditures to operating expenditures, meaning you should include your accountant or CFO in the discussion to understand any tax considerations.

Don’t wait. Find out now if you have Windows Server 2003, and start planning so you aren’t scrambling next summer… but first get rid of any unsupported systems still on your network.

 Download our HIPAA Brief on Windows XP

Need a real risk analysis that accurately and thoroughly identifies your risks? Want to know what is really going on with the security of your patient data? Ask us about the surprises we have found in medical practices, hospitals, and with their Business Associates.


e-mail  hipaa@semelconsulting.com

phone 888-997-3635 x 101