HIPAA Compliance and Windows Server 2003

Last year, Microsoft stopped updating Windows XP and so we wrote about how Windows XP would no longer be HIPAA compliant. If you’re still using Windows XP to access PHI, you’re a braver person that I. That’s just asking for a HIPAA violation.

It turns out that Windows Server 2003 is 5 months away from Microsoft stopping to update it as well. This could be an issue for many practices who have a local EHR install on Windows Server 2003. I’d be surprised if an EHR vendor or practice management vendor was running a SaaS EHR on Windows Server 2003 still, but I guess it’s possible.

However, Microsoft just recently announced another critical vulnerability in Windows Server 2003 that uses active directory. Here are the details:

Microsoft just patched a 15-year-old bug that in some cases allows attackers to take complete control of PCs running all supported versions of Windows. The critical vulnerability will remain unpatched in Windows Server 2003, leaving that version wide open for the remaining five months Microsoft pledged to continue supporting it.

There are a lot more technical details at the link above. However, I find it really interesting that Microsoft has chosen not to fix this issue in Windows Server 2003. The article above says “This Windows vulnerability isn’t as simple as most to fix because it affects the design of core Windows functions rather than implementations of that design.” I assume this is why they’re not planning to do an update.

This lack of an update to a critical vulnerability has me asking if that means that Windows Server 2003 is not HIPAA compliant anymore. I think the answer is yes. Unsupported systems or systems with known vulnerabilities are an issue under HIPAA as I understand it. Hard to say how many healthcare organizations are still using Windows Server 2003, but this vulnerability should give them a good reason to upgrade ASAP.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • The HIPAAT Security Rule is technology neutral. To state that continued use of Windows XP is a HIPAA violation is false. If the risk of continued use is sufficient and no action is taken to mitigate the risk, that may be a violation. Let’s be fully honest here.

  • How can Microsoft decide not to patch a product which is due to be retired after 5 months from now? Does it not amount to breach of trust and breach of contract with its customer?

  • Kishore,
    That was shocking to me as well. As a business, I understand that it’s a deeply rooted issue that they might not even be able to fix in the 5 months they have left. However, there’s definitely something awkward about saying we’ll support the software for another 5 months and then say, except for this really hard problem which we’re not going to deal with.

  • So why would one continue to use ANY server based on Microsoft Windows rather than Linux? Once the Microsoft server dependency is broken, it’s up to you what OS you choose to use on the client (PC, Mac, etc.).

    Are EMR offerings for some reason confined to the Microsoft community?

  • David,
    Some of the EHR are built on Microsoft and can’t move. The doctor doesn’t have a choice in that situation. Or at least their choice is to switch EHR vendors, which is harder than dealing with Microsoft.

  • I should have mentioned one other thing. What kind of EHR vendor doesn’t move from Windows Server 2003? That’s 12 years old and there’s been how many newer versions of Windows Server released?

    Although, the issue is likely not the EHR vendor. If the EHR vendor doesn’t support more than Windows Server 2003, then maybe switching EHR is a good idea. However, the more likely scenario is that the doctor didn’t want to buy a new server or new software and so the EHR vendor tried to save the doctor money and backwards support Windows Server 2003 and now it comes back to bite them. Same thing could happen on linux if the EHR vendor isn’t proactive about getting their clients to upgrade to the new O/S.

  • Your last comment was what I was about to mention: I’d be shocked – no no, not shocked – surprised if there is still an EHR that is considered Meaningful Use certified that is running on server 2003.

    If there is one thing I’ve seen in the last few years, it has been a push by the EHR vendors to upgrade to the latest version of server. It almost appears to me to be an attempt to drive those using in house server nuts with upgrades and move to the cloud version.

    I think the more realistic situation here is this:
    EHR on server 2008/2012
    Active directory/terminal server on 2003.
    This doesn’t help the situation, but people need to understand where they stand.

    @David: I don’t disagree with your statement…I’ve wondered for a long time why this wasn’t being done, but I’ll bet it falls under the can’t-get-fired-for-choosing-microsoft mentality.

    @Chris: while HIPAA is technology neutral, is it up to date technology required. Besides, any IT person who doesn’t require their clients to move from a no longer supported operating system OR ensure the current OS is patched/updated…should be fired.

  • John Brewer,
    Mike Semel made an interesting comment to me as well about this. Their current EHR is often upgraded, but their legacy EHR has likely not been upgraded and could be the issue. He told me about a Windows Server 2000 install he found. Always easy to forget about the legacy data.

  • The comment about legacy systems is a great example of what are you suppose to do? You may still access the data periodically for whatever reasons, but the system isn’t supported and it is stuck on an old or proprietary OS. Would that be considered a violation? What are your options?

  • Pat,
    It would likely be considered a violation because you knew it was outdated and didn’t update it. You might be able to mitigate the risk enough (take it off the network, etc) to try and avoid the issue, but it would depend on the architecture of the application.

    Another option I see happening is people moving it to virtual boxes or using an application that will basically export all of the data to a PDF/image so that it is still available and searchable, but it’s not on the old legacy system. Those are a few options I’ve seen.

Click here to post a comment