[The_Janitor]

The Office Manager of one of my clients has received a generalized idea that there is an upcoming problem with Microsoft Server 2003 and maintaining HIPPA compliance. She has forwarded this to question to me, and it is my responsibility to do the research.

I can find no substantiation for this online, and am posting this with the idea that the question can be resolved one way or the other. Obviously at some point MS Server 2003 will reach "end of life" and need to be phased-out, however the costs involved are significant and the system works just fine as it is. I am reluctant to fix something that isn't broken, as I believe that "better is the enemy of good".

I get a lot of general statements about how much better 2008 is than 2003, however what I am looking for is a compelling reason to make the move, and/or some idea of what kind of deadline there may be.

 

[JMPC]

Here is the end of support dates for Server 2003. Mainstream support has already ended. Extended support is for another 2 years.
Please Verify your Location

There is much more to HIPPA compliance than just making sure a server is in compliance. You can use this tool from Microsoft along with SCCM to determine if the server is configured for best practices.

Ultimately, a company that specializes in HIPAA audits would probably be worth investigating.

 

[Wand3r3r]

I handle the Hipaa security compliance for my company which is a drug treatment center and contains a hospital wing. I wrote all of the documentation concerning Hipaa security compliance. Our QA person does the privacy part.

There is nothing in Hipaa that dictates what server OS or hardware you are on. It is concerned about how ePHI is handled and how this ePHI is accessed.

I would ask two things;
what business is this office manager in?
what is the specific question or concern?

 

[The_Janitor]

what business is this office manager in?
what is the specific question or concern?

It's a general medical practice, with electronic patient records being stored onsite on the server, and the primary concern is avoiding any legal issues, fines, etc... as a result of fast-changing medical rules & regulations due to Obamacare.

I'm a generalist, and do routine computer repair & replacement, and troubleshoot network issues, etc... and am in competition with another computer person for building a new Server, who has raised a lot of FUD by telling the Office Manager that somehow, and at some point, the current Operating System (Server 2003) will not remain HIPPA compliant. I find no evidence that confirms or substantiates this, and "the other guy" did not give any specific reference to his assertions. So I am in the position is having to prove a negative, else he looks smarter and better informed, despite the fact that his proposal is inflated by at least 75%.

 

[Wand3r3r]

Your competitor is lying.

Obamacare is concerned about providing healthcare to even those that haven't been underwritten by insurance companies. It has no effect on the privacy and security requirements and recommendations of Hipaa.

Being a small office they have to:

have tested as good backups
have antivirus and update it regularly
require user accounts and passwords
they have to do a risk assessment and review/update it regularly
the server has to be secure physically
they have to have a disaster recovery plan
they don't put ephi on portable devices without full encryption
protection from the internet [firewall]
server isn't used to browse the internet
they have to have written policies on how they handle and protect ephi

it is recommended but not required:
they have mirrored drives in the server for drive failover
they have offsite backup storage [not a home or in the trunk of a car]
server maintenance plan
controlled environment [AC for the server room /closet]
firewall with subscriptions for virus and malware protection

A server OS doesn't make ephi at risk even if no longer being patched. We keep our servers off the internet except when doing a update and we use a wsus server for that. We upgrade our servers OS as hardware and server apps require not because of any hipaa requirements.

Again its not necessarily where the ephi is stored/what OS its stored on, that is not specified in hipaa since hipaa has to cover from a single doc office to a mega hospital.

The important part of hipaa compliance is doing due diligence in understanding what applies to your operation and how you fulfull those requirements. There is also a big difference between what is required and what is recommended. A lot of folks confuse the difference as well as there is a lot of negitive propaganda concerning Obamacare which simply isn't factual.

 

[Tomshawk]

The HIPAA requirements are very vague at best. There is not set standard really.

Personally I have multiple healthcare clients and have set them up with the following.

Every user has their own logon/password
They are only granted access to what they need and no more.
They are required to change their password every 3 months
All backups are encrypted
The servers are stored in a locked room with very limited access.
Firewalls are setup to only let the required traffic in.
All computers that are in general vicinity of a patron, "someone not employed by the office" has a privacy screen on the monitor

That's basically what I have done. One thing to do is document every security measure you use to comply with the HIPAA standards just in case you get an audit.

Once this has been done, I'd recommend having a company that specializes in Hippa Compliance come in and do an Audit.

 

[Wand3r3r]

We don't do backup encryption [unless we send to 3rd party like our financial data] because that is a recommendation and not a requirement. You don't want to find yourself in the position of not being able to access your backups due to corrupt/wrong encryption key.

It is more important that the backups are tested [can you restore a folder or file? Can you see the entire directory tree and see the files and folders in the backups?]

I have been on too many sites that said they had backups when in fact they did not because no one checked them. Of course they find this out after the server drive died.

 

[Tomshawk]

Correct, encryption of backup is not a requirement, we just do it.

and, test restores are always a requirement on my networks, at least once a month as long as the client allows which has never been a problem yet.

 

[Wand3r3r]

Not like we don't learn these things the hard way

 

[Tomshawk]

ROFL, so true.