The New HIPAA Risk: “Failure to Patch”
One more thing to worry about…with so much emphasis on new initiatives like ACOs, big data, MU, etc., it is easy to lose sight of the ‘old’. However, based on the first major fine levied as a HIPAA violation for ‘failure to patch’ and running outdated, unsupported software’ it is essential to have a firm grasp on the inventory of legacy platforms and systems that make up your infrastructure. The exposure of operating systems and appliances that are not updated – or worse, that are no longer supported – is fast becoming a recurring theme on annual risk assessments.
A perfect example is the July 14, 2015 End-of-Life for Microsoft Windows Server 2003. If you’re wondering what the EOL means for you, the bottom-line is this – if you still have Server 2003 running within your datacenter after this date, you will no longer receive any patches or security updates, putting your applications and business at risk. New threats won’t be addressed and your Server 2003 estate will become a security risk and a compliance nightmare.
At Comport we are working with many hospitals that are discovering hundreds, even thousands, of servers that are impacted by this end-of-support. From Discovery to Migration we are working together with our top-tier partner to provide Server 2003 Assessments, and a clear Migration Roadmap that makes sense for your workloads based on the application’s risk and criticality to the organization, the application type, target platform, and the up-to-date system configurations needed to support such a transition.
Windows XP is another example of an operating platform that served us well, but now that it is no longer supported it presents a huge security exposure. Many ‘appliances’ in healthcare such as medicine cabinets, smart IV pumps, critical care monitors to name a few have been built on XP, or other platforms that are no longer supported. Since these platforms may have exposure to new risks, and can no longer be patched to remediate the problem, the systems and the information (often PHI) are vulnerable to a breach.
While we can lament the notion of taking on one more project, the stakes are too high to let this one slide. As usual, there’s no rest for the weary when it comes to protecting PHI.
Jim Cavanagh
Bill Flatley, Field CTO for Healthcare
Bill is responsible for technical strategies and recommendations for Comport’s Healthcare clients. His extensive experience includes four healthcare systems in leadership roles supporting Clinical Applications, Digital Health, and Office of the CIO as the primary liaison between IT and the business.