Firewall & Windows XP HIPAA Penalties

Anchorage Community Mental Health Services, Inc, has just been assessed a $150,000 penalty for a HIPAA data breach. The title of the OCR bulletin for the HIPAA settlement is telling: “HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software.” It seems that OCR wanted to communicate clearly that unpatched and unsupported software is a HIPAA violation.

If you’re a regular reader of EMR and HIPAA, then you might remember that we warned you that continued use of Windows XP would be a HIPAA violation since Windows stopped providing updates to it on April 8, 2014. Thankfully, it was one of our most read posts with ~35,000 people viewing it. However, I’m sure many others missed the post or didn’t listen. The above example is proof that using unsupported software will result in a HIPAA violation.

Mike Semel has a great post up about this ruling and he also points out that Microsoft Office 2003 and Microsft Exchange Server 2003 should also be on the list of unsupported software alongside Windows XP. He also noted that Windows Server 2003 will stop being supported on July 14, 2015.

Along with unsuppported and unpatched software, Mike Semel offers some great advice for Firewalls and HIPAA:

A firewall connects your network to the Internet and has features to prevent threats such as unauthorized network intrusions (hacking) and malware from breaching patient information. When you subscribe to an Internet service they often will provide a router to connect you to their service. These devices typically are not firewalls and do not have the security features and update subscriptions necessary to protect your network from sophisticated and ever-changing threats.

You won’t find the word ‘firewall’ anywhere in HIPAA, but the $ 150,000 Anchorage Community Mental Health Services HIPAA penalty and a $ 400,000 penalty at Idaho State University have referred to the lack of network firewall protection.

Anyone who has to protect health information should replace their routers with business-class firewalls that offer intrusion prevention and other security features. It is also wise to work with an IT vendor who can monitor your firewalls to ensure they continue to protect you against expensive and embarrassing data breaches.

Be sure to read Mike Semel’s full article for other great insights on this settlement and what it means.

As Mike aptly points out, many organizations don’t want to incur the cost of updating Windows XP or implementing a firewall. It turns out, it’s much cheaper to do these upgrades than to pay the HIPAA fines for non-compliance. Let alone the hit to your reputation.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Docs need to stop being cheapskates on computers and networking equipment. Yes, it stinks this is being pushed on you, but…taxes stink, too.

    It is time to start taking this seriously or you’ll be the next one with the 6-figure violation.

    There are many things that are not specifically said in the HIPAA regulations and in my risk assessments I address multiple items that are not specifically mentioned, yet are RISKS.

    The common question I get is, “is that a HIPAA requirement?”

    My response is “not specifically…yet”.

    The other thing docs need to realize is THEM spending all of THEIR time on figuring out HIPAA is a complete mis-allocation…and having that practice manager of yours…who barely understand Save vs. Save As is also NOT the person to have in charge of figuring out your HIPAA compliance.

    As one who spent many years in the top secret world of the military, HIPAA is looking more and more like that world – and that is not necessarily a bad thing.

    One last thing, stop the belly aching. The mortgage world is going through almost the exact same thing right now, lots of growing pains, lots of privacy issues, lots of business associates who have to be investigated.
    The difference?
    They do it.

  • Or take the penalties and go back to paper. The costs of this is extremely high for practices and truthfully the benefits are still trying to be proofed. Many issues, the industry better solve the cost factor.

  • Frankly, no one is secure in this world today. The business of Hacking and Crypto Encryption has changed the game, and moreover, really stresses the cost benefit of implementing a EHR solution.

Click here to post a comment