Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare Data Breach Deja Vu…More Like Groundhog Day

Posted on January 27, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


I was intrigued by Ryan Witt’s comment about it being Deja Vu when it came to more healthcare data breaches. In many ways he’s right. Although, I’d almost compare it more to the movie Groundhog Day than deja vu. If it feels like we’ve been through this before it’s because we have been through it before. The iHealthBeat article he links to outlines a wide variety of healthcare breaches and the pace at which breaches are occurring is accelerating.

I think we know the standard script for when a breach occurs:

  1. Company discovers a breach has occurred (or often someone else discovers it and lets them know)
  2. Company announces that a “very highly sophisticated” breach occurred to their system. (Note: It’s never admitted that they did a poor job protecting their systems. It was always a sophisticated attack)
  3. Details of the breach are outlined along with a notice that all of their other systems are secure (How they know this 2nd part is another question)
  4. They announce that there was no evidence that the data was used inappropriately (As if they really know what happens with the data after it’s breached)
  5. All parties that were impacted by the breach will be notified (Keeping the US postal service in business)
  6. Credit monitoring is offered to all individuals affected by the breach (Makes you want to be a credit monitoring company doesn’t it?)
  7. Everything possible is being done to ensure that a breach like this never happens again (They might need to look up the term “everything” in Webster’s dictionary)

It’s a pretty simple 7 step process, no? Have we seen this before? Absolutely! Will we see it again? Far too much.

Of course, the above just covers the public facing component of a breach. The experience is much more brutal if you’re an organization that experiences a breach of your data. What do they say? An ounce of prevention is worth a pound of cure. That’s never more appropriate than in healthcare security and privacy. Unfortunately, far too many are living in an “ignorance is bliss” state right now. What they don’t tell you is that ignorance is not bliss if you get caught in your ignorance.

Will Misunderstandings Around The HIPAA Conduit Exception Rule Result In Organizations Failing The Phase 2 Audits?

Posted on December 14, 2015 I Written By

The following is a guest blog post by Gene Fry from Scrypt, Inc.
Gene Fry - HIPAA Expert
In January 2013, the HHS defined the ‘conduit exception’ as part of the HIPAA Omnibus Final Rule, which was created to strengthen the privacy and security protections for health information.

The HIPAA conduit exception rule is applicable to providers of conduit services who do not have access to protected health information (PHI) on a routine basis. This means that they do not have to sign a Business Associate Agreement (BAA). However, some providers who do not fall under this definition are still claiming that they are HIPAA compliant. It is crucial that healthcare organizations understand exactly what this rule means, and how it may affect them if selected for an audit, or if a breach should occur.

What is a HIPAA Business Associate Agreement?
There are a number of providers who state they offer HIPAA compliant solutions for transmitting or storing PHI, and yet they are unwilling to sign a BAA.

As stated in the HIPAA Privacy and Security Rules, a business associate is defined as:

“[a] Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”

Therefore, any organization or business that handles personal health information is considered to be a business associate and must sign a BAA. As this acts as a contract between a HIPAA covered entity and a business associate, without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant.

Phase 2 HIPAA audits are due to begin in early 2016, and the transmission and storage of PHI is likely to be an area that the Office of Civil Rights (OCR) focus on as a result of large numbers of noncompliance being reported in the phase 1 audits conducted in 2012. While the phase 1 audits applied only to covered entities, in this round, business associates will also be subject to audits by OCR. This means that business associates can be held accountable for data breaches, and penalized accordingly for noncompliance.

Every covered entity must have a BAA in place with the organization responsible for PHI managed on their behalf. Without it, like a weak link in the chain, the whole system becomes noncompliant.

When does the exception rule apply?
There are instances where the HIPAA conduit exception rule does apply. For entities that simply transport or transmit PHI (such as the United States Postal Service, couriers, and their electronic equivalents) who do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended, the HIPAA conduit exception rule is likely to apply.

The rule is rather confusing and open to interpretation when it comes to electronic protected health information (ePHI), as occasional, random access by a data transmission entity does not necessarily make the entity a HIPAA business associate. An example of an organization which would not require a BAA would be an ISP, as they review whether ePHI being transmitted over its network is arriving to its intended destination, but do not access or store the data.

Random or infrequent access defined by the HIPAA rules is explained in the preamble to the rules, which explicitly states that the “mere conduit” exception, is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.” It is the ‘temporary storage’ terminology used in the rule that healthcare organizations often misinterpret.

The preamble defines the distinction between transmission (including incidental storage associated with such transmission) and ongoing storage. The difference between those two situations “is the transient versus persistent nature of” the opportunity to access PHI. This means that a data storage company that has access to PHI still qualifies as a business associate, even if the entity does not view the information – or only does so on a random or infrequent basis.

Be wary of providers who refuse to sign a BAA
If a provider is unwilling to sign a BAA, the advice from David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division, is “If they refuse to sign, don’t use the service”.

However, providers are citing the HIPAA conduit exception rule as the reason that a BAA is not required. By stating that they are acting as a ‘simple conduit for information’, they are stipulating that they are excluded from the definition of a business associate. This effectively absolves the provider of signing a BAA, and gets them off the compliance hook, while putting their customers at risk of not being compliant.

An entity that manages the transmission and storage of PHI, such as a HIPAA compliant cloud hosting company, or a HIPAA compliant fax or messaging provider does have more than “random access” to PHI – meaning that they do meet the definition of a HIPAA business associate. Any organization that is transmitting and receiving information that includes PHI falls into the category of business associates – and should be willing to sign a BAA.

Some providers will not sign a BAA because they claim to only offer what they call a “conduit service” – technically making them able to state that they are HIPAA compliant, although this is untrue in many cases. In addition to offering services that relate to the transmission and storage of PHI, they may also include a guarantee that they will disable automatic forwarding of messages to email, disable SMS texting, and will delete all faxes, voicemails and recordings after a short period to get out of signing the BAA.

Providers who offer a range of telecommunications services – some of which are purely conduit – may also refuse to sign a BAA for customers only requiring data transmission services due to the fact that their fax and SMS services are not actually HIPAA compliant. Again, these providers claim that they are HIPAA compliant because they can provide purely conduit services as part of their offering.

How can I ensure compliance when selecting a provider?

  • Never select a provider who is unwilling to sign a BAA.
  • Be wary of providers who refer to the HIPAA conduit exception rule if they will have access to ePHI – even if it is random or infrequent
  • Ask the provider to prove its track record of safeguarding ePHI
  • Check that the provider is able to demonstrate that their staff are trained in HIPAA compliance

When selecting a provider, if they are truly HIPAA compliant, they will sign a business associate agreement because they are required to, and they should demonstrate a willingness to comply. A BAA acts as the a contract between a HIPAA covered entity and a business associate, and without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant. Be wary of organizations that hide behind the conduit exception rule, or you may find your organization bears the brunt of OCR audits should a breach occur.

About Gene Fry
Gene joined the Scrypt, Inc. family in October of 2001. He has 25 years of IT experience working in industries such as healthcare and for companies based in the U.S. and in Latin America. Gene is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute. In addition, he is certified as a HIPAA Privacy and Security Compliance Officer by the Identity Management Institute, as an Electronic Health Record Specialist Certification (CEHRS™) through the National Health Career Association and he holds a Gramm-Leach Bliley Act (GLBA) certification from BridgeFront and J.J Kellers.  In his spare time, Gene rides a Harley Davidson as part of the Austin, Texas Chapter.

Healthcare Data Breaches Infographic

Posted on November 23, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Royal Jay has put out this infographic (see below) which summarizes the impact of many of the health care data breaches we’ve seen hitting the news over the past few years. One problem with these infographics is that the numbers are so huge, I think many organizations have grown numb to breaches. I imagine many organizations kind of throw their hands up in the air and say that a breach is inevitable. That’s a scary position to take. Certainly you can’t be 100% secure, but you can make it hard enough that a breach is less likely.

What stands out to you in this health care data breach infographic:
Breached_Infographic_20151113

Owensboro Health Muhlenberg Community Hospital Breach

Posted on November 17, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In this week in HIPAA Breach rubber-necking, we have the FBI discovering suspicious network activity from third parties at Owensboro Health Muhlenberg Community Hospital, a 135 bed acute care hospital in Kentucky. Here’s a description of the incident:

On September 16, 2015, the Federal Bureau of Investigation (FBI) notified the hospital of suspicious network activity involving third parties. Upon learning this information, the hospital took immediate action, including initiating an internal investigation and engaging a leading digital forensics and security firm to investigate this matter. Based upon this review, the hospital confirmed that a limited number of computers were infected with a keystroke logger designed to capture and transmit data as it was entered onto the affected computers. The infection may have started as early as January 2012.

I’m quite interested in how they came up with the January 2012 date. Was that the date that the infected computers were installed? Are they just being cautious and assuming that the computers could have had the keylogger since the beginning and they’re handling the breach that way?

Of course, Muhlenberg Community Hospital is sending breach notifications to all patients in their records database, employees and contractors and providers that were credentialed at the hospital since 2012. They don’t give a number of how many records or people this constitutes, but it have to be a massive number.

Here’s a look at what information they think could have been accessed by the keylogger:

The affected computers were used to enter patient financial data and health information, information about persons responsible for a patient’s bill and employee/contractor data, including potentially name, address, telephone number(s), birthdate, Social Security number, driver’s license/state identification number, medical and health plan information (such health insurance number, medical record number, diagnoses and treatment information, and payment information), financial account number, payment card information (such as primary account number and expiration date) and employment-related information. Additionally, some credentialing-related information for providers may be impacted. The hospital also believes that the malware could have captured username and password information for accounts or websites that were accessed by employees, contractors or providers using the affected terminals. The hospital has no indication that the data has been used inappropriately.

They’re offering the usual identity protection services to all those affected. However, I was quite interested in their expanded list of steps people can take to guard against possible identity theft and fraud:

  • Enroll in Identity Protection Services
  • Explanation of Benefits Review
  • Check Credit Reports
  • Review Payment Card Statements
  • Change Your Passwords
  • Consult the Identity Theft Protection Guide

It’s clear that the number of breaches is accelerating. However, this case is particularly interesting because it could have been breached for the past 3 years and they’re just now finding it out. I expect we’ll see a lot more of this activity in the future.

10.5 Million Person Healthcare Hack Revealed 19 Months Later

Posted on September 21, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As we (and pretty much everyone) predicted, the number of healthcare breaches continues to grow. In the latest case, Rochester New York based Excellus BlueCross BlueShield and related companies were hacked. As per usual, the hackers mounted a “sophisticated cyberattack” which compromised data including names, addresses, telephone number, social security numbers, financial account information, and some medical information from “shadowy groups in China.”

Here’s a description of the 10.5 million records that were affected:

Affected parties include about 7 million people who are insured by Excellus, patients covered by those policies and Blue Cross Blue Shield members from other parts of the country who received medical care that was billed through Excellus, Redmond said. Excellus is the largest health insurer in the Rochester area.

The records of an additional 3.5 million people who receive services through five Lifetime units — Lifetime Health, Lifetime Care, Univera Healthcare, MedAmerica and Lifetime Benefits Solutions — also were breached by the hackers.

Although, the irony of this story is that the initial hack seemed to have occurred on Dec 23, 2013, but wasn’t discovered by the staff until much later. The report suggests that the hack wasn’t discovered until they did an investigation into their own systems after the 78.8 million person Anthem breach. What’s not clear to me is why it took them so long after that breach which occurred in February 2015 to finally announce their own breach.

The company is offering the standard 2 year’s of identity and credit card protection to affected individuals. Does this all feel somewhat routine now? I’m sorry to say that it’s become so common that it almost feels like a non-event. It probably doesn’t feel that way to the millions of patients who got a notice in the mail. Although, with breaches of Google, Amazon, Target, etc, I think we’re all becoming somewhat numb to breaches of our personal data.

Is HIPAA Misuse Blocking Patient Use Of Their Data?

Posted on August 18, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Recently, a story in the New York Times told some troubling stories about how HIPAA misunderstandings have crept into both professional and personal settings. These included:

  • A woman getting scolded at a hospital in Boston for “very improper” speech after discussing her husband’s medical situation with a dear friend.
  • Refusal by a Pennsylvania hospital to take a daughter’s information on her mother’s medical history, citing HIPAA, despite the fact that the daughter wasn’t *requesting* any data. The woman’s mother was infirm and couldn’t share medical history — such as her drug allergy — on her own.
  • The announcement, by a minister in California, that he could no longer read the names of sick congregants due to HIPAA.

All of this is bad enough, particularly the case of the Pennsylvania refusing to take information that could have protected a helpless elderly patient, but the effects of this ignorance create even greater ripples, I’d argue.

Let’s face it: our efforts to convince patients to engage with their own medical data haven’t been terribly successful as of yet. According to a study released late last year by Xerox, 64% of patients were not using patient portals, and 31% said that their doctor had never discussed portals with them.

Some of the reasons patients aren’t taking advantage of the medical data available to them include ignorance and fear, I’d argue. Technophobia and a history of just “trusting the doctor” play a role as well. What’s more, pouring through lab results and imaging studies might seem overwhelming to patients who have never done it before.

But that’s not all that’s holding people back. In my opinion, the climate of medical data fear HIPAA misunderstandings have created is playing a major part too.

While I understand why patients have to sign acknowledgements of privacy practices and be taught what HIPAA is intended to do, this doesn’t exactly foster a climate in which patients feel like they own their data. While doctor’s offices and hospitals may not have done this deliberately, the way they administer HIPAA compliance can make medical data seem portentous, scary and dangerous, more like a bomb set to go off than a tool patients can use to manage their care.

I guess what I’m suggesting is that if providers want to see patients engaged and managing their care, they should make sure patients feel comfortable asking for access to and using that data. While some may never feel at ease digging into their test results or correcting their medical history, I believe that there’s a sizable group of patients who would respond well to a reminder that there’s power in doing so.

The truth is that while most providers now give patients the option of logging on to a portal, they typically don’t make it easy. And heaven knows even the best-trained physician office staff rarely take the time to urge patients to log on and learn.

But if providers make the effort to balance stern HIPAA paperwork with encouraging words, patients are more likely to get inspired. Sometimes, all it takes is a little nudge to get people on board with new behavior. And there’s no excuse for letting foolish misinterpretations of HIPAA prevent that from happening.

HHS Privacy and Security Rules Cheat Sheet Infographic

Posted on August 6, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Scrypt has put out the infographic below to help summarize the guide to Privacy and Security of Electronic Health Information that HHS put out. Of course, the full guide is 62 pages of detailed information, but this will give you a flavor for what’s in the guide.
HHS Privacy and Security Rule Infographic

Patient Data Breach at UCLA Hospital System Possibly Impacting 4.5 Million Patients

Posted on July 17, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The LA Times is reporting that UCLA Health System has had a data breach possibly affecting 4.5 million patients. It’s the usual story of a HIPAA breach of this size. They saw some abnormal activity on one of their systems that contained a large amount of patient records. They don’t have any evidence that such data was taken, but hackers are usually really good about not leaving a trail when they take records.

Here’s some comments from UCLA Health as quoted in the LA Times article linked above:

“We take this attack on our systems extremely seriously,” said Dr. James Atkinson, interim associate vice chancellor and president of the UCLA Hospital System.

In an interview, Atkinson said the hospital saw unusual activity in one of its computer servers in October. An investigation confirmed in May that the hackers had gained access to patient information.

“They are a highly sophisticated group likely to be offshore,” he said. “We really don’t know. It’s an ongoing investigation.”

I have yet to see a hospital say they don’t take a breach seriously. I’ve also never seen a hospital say that they were hacked by unsophisticated hackers that exploited their poor security (although, you can be sure that happens in every industry). Of course it had to be a sophisticated attack for them to breach their amazing security, right?

What’s not clear to me is why it took them so long to confirm they’d been hacked. The LA Times article says that they saw the unusual activity in October and it took until May to confirm that “the hackers had gained access to patient information.” Now we’re just getting the public notification in July? All of that seems long, but maybe the attack was just that sophisticated.

What’s scary for me is that these types of breaches have become so common place that I’m not surprised and it’s not shocking. In fact, they’ve almost become standard. Next up will be UCLA Health System setting up some type of credit protection service for their patients assuming there was some financial data there as well. I don’t think we should treat these breaches as normal. They should be a wake up call to everyone in the industry, but I’m sorry to say that it feels more like the norm than the exception.

Does Federal Health Data Warehouse Pose Privacy Risk?

Posted on June 23, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Not too long ago, few consumers were aware of the threat data thieves posed to their privacy, and far fewer had even an inkling of how vulnerable many large commercial databases would turn out to be.

But as consumer health data has gone digital — and average people have become more aware of the extent to which data breaches can affect their lives — they’ve grown more worried, and for good reason. As a series of spectacular data breaches within health plans has illustrated, both their medical and personal data might be at risk, with potentially devastating consequences if that data gets into the wrong hands.

Considering that these concerns are not only common, but pretty valid, federal authorities who have collected information on millions of HealthCare.gov insurance customers need to be sure that they’re above reproach. Unfortunately, this doesn’t seem to be the case.

According to an Associated Press story, the administration is storing all of the HealthCare.gov data in a perpetual central repository known as MIDAS. MIDAS data includes a lot of sensitive information, including Social Security numbers, birth dates, addresses and financial accounts.  If stolen, this data could provide a springboard for countless case of identity or even medical identity theft, both of which have emerged as perhaps the iconic crimes of 21st century life.

Both the immensity of the database and a failure to plan for destruction of old records are raising the hackles of privacy advocates. They definitely aren’t comfortable with the ten-year storage period recommended by the National Archives.

An Obama Administration rep told the AP that MIDAS meets or exceeds federal security and privacy standards, by which I assume he largely meant HIPAA regs. But it’s reasonable to wonder how long the federal government can protect its massive data store, particularly if commercial entities like Anthem — who arguably have more to lose — can’t protect their beneficiaries’ data from break-ins. True, MIDAS is also operated by a private concern, government technology contractor CACI, but the workflow has to impacted by the fact that CMS owns the data.

Meanwhile, growing privacy breach questions are driven by reasonable concerns, especially those outlined by the GAO, which noted last year that MIDAS went live without an in-depth assessment of privacy risks posed by the system.

Another key point made by the AP report (which did a very good job on this topic, by the way, somewhat to my surprise) is that MIDAS’ mission has evolved from a facility for running analytics on the data to a central clearinghouse for data sharing between CMS and health insurance companies and state Medicaid organizations. And we all know that with mission creep can come feature creep; with feature creep comes greater and greater potential for security holes that are passed over and left to be found by intruders.

Now, private healthcare organizations will still be managing the bulk of consumer medical data for the near future. And they have many vulnerabilities that are left unpatched, as recent events have emphasized. But in the near term, it seems like a good idea to hold the federal government’s feet to the fire. The last thing we need is a giant loss of consumer confidence generated by a giant government data exposure.

Windows Server 2003 Support Ends July 14, 2015 – No Longer HIPAA Compliant

Posted on June 16, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If this post feels like groundhog day, then you are probably remembering our previous post about Windows XP being retired and therefore no longer HIPAA compliant and our follow up article about a case where “unpatched and unsupported software” was penalized by OCR as a HIPAA violation.

With those posts as background, the same thing applies to Microsoft ending support for Windows Server 2003 on July 14, 2015. Many of you are probably wondering why I’m talking about a 2003 software that’s being sunset. Could people really still be using this software in healthcare? The simple answer is that yes they are still using Windows Server 2003.

Mike Semel has a really great post about how to deal with the change to ensure you avoid any breaches or HIPAA penalties. In his post he highlights how replacing Windows Server 2003 is a much larger change than it was to replace Windows XP.

In the later case, you were disrupting one user. In the former case, you’re likely disrupting a whole group of users. Plus, the process of moving a server to a new server and operating system is much harder than moving a desktop user to a new desktop. In fact, in most cases the only reason organizations hadn’t moved off Windows XP was because of budget. My guess is that many that are still on Windows Server 2003 are still on it because the migration path to a newer server is hard or even impossible. This is why you better start planning now to move off Windows Server 2003.

I also love this section of Mike Semel’s post linked above which talks about the costs of a breach (which is likely to happen if you continue using unsupported and unpatched software):

The 2015 IBM Cost of a Data Breach Report was just released and the Ponemon Institute determined that a data breach of healthcare records averages $ 398 per record. You are thinking that it would never cost that much to notify patients, hire attorneys, and plug the holes in your network. You’re right. The report goes on to say that almost ¾ of the cost of a breach is in loss of business and other consequences of the breach. If you are a non-profit that means fewer donations. If you are a doctor or a hospital it could mean your patients lose trust and go somewhere else.

I’m sure that some will come on here like they did on the Windows XP post and suggest that you can keep using Windows Server 2003 in a HIPAA compliant manner. This penalty tells me otherwise. I believe it’s a very risky proposition to continue using unsupported and unpatched software. Might there be some edge case where a specific software requires you to use Windows Server 2003 and you could set up some mix of private network/firewalls/access lists and other security to mitigate the risk of a breach of the unsupported software. In theory, that’s possible, but it’s unlikely most of you reading this are in that position. So, you better get to work updating from Windows Server 2003.