Microsoft has just released its end-of-support list, and healthcare practices need to be aware of the implications for HIPAA compliance.
Microsoft has just released its end-of-support list, and healthcare practices need to be aware of the implications for HIPAA compliance. The list's release emphasizes the importance of regular software updates to maintain compliance with federal regulations for PHI. The end-of-support list this year is remarkable for its scope; it appears Microsoft has chosen to stop service to a variety of main programs that are still considered standard across many environments. Failing to update to newer programs could risk a HIPAA violation in many healthcare practices.
According to the HIPAA Security Rule, healthcare organizations must implement a comprehensive security plan that includes “procedures for detecting, guarding against, and reporting malicious software.” The Security Rule does not specifically mention software updates; however, failure to apply security updates is considered a HIPAA violation. Using outdated software is also considered a violation, since security updates cannot fully function on outdated software.
Furthermore, practices risk creating compatibility issues, experiencing delays in scheduling software, and even data loss if they fail to keep software current. Microsoft will no longer release technical content or maintain support options for these older programs. While these systems will continue basic functionality after the end date, each day following increases the risk of a data breach or HIPAA violation.
Healthcare practices need to begin budgeting for and considering new hardware and software as soon as possible to prepare for the end dates. Unfortunately, there is no quick fix - the purchasing, planning, and execution to replace hardware and software is a major expense for most practices. Does your practice need to prepare? You can find the full list here.