Upgrade Internet Explorer to Remain HIPAA Compliant

Microsoft will be stopping support and security updates for Internet Explorer 8, 9 and 10 as of Wednesday January 12, 2016. All users of Internet Explorer must switch to Internet Explorer 11, or make the switch over to Microsoft Edge, in order to continue receiving support, security updates, and patches.

In mid-2014, Microsoft revealed that its internet browser updates for IE8, IE9, and IE10 would be coming to an end. Any user who has not yet upgraded now has just two days remaining before their browser officially becomes obsolete.

Whenever software is discontinued and support and security patches are stopped, that software carries security risks. Vulnerabilities are identified that are not patched, and hackers are likely to be able to take advantage of this weakness.

Microsoft recently issued a warning saying continued use of IE 10, 9 and 8 would leave users “at risk of viruses and other malicious software that exploit security flaws and bugs in the browsers.”

Figures from Netmarketshare.com and Duo Security put the level of Internet Explorer users with IE10, or lower, installed at between 20% and 36%.

Users of IE 8,9, and 10 should upgrade promptly. While they are not likely to suffer a drive-by malware attack if they do not upgrade their browser this week. However, over time, the security risk will heighten. It would not be advisable to delay upgrading the browser for much longer. From Wednesday January 12, 2016., any employee of a HIPAA-covered body that continues to use Internet Explorer 10 or below, will be in violation of HIPAA Rules.

The HIPAA Security Rule requires covered bodies to carry out a risk assessment to identify potential security weaknesses that could place the confidentiality and integrity of ePHi at risk. A risk assessment should discover out-of-date software which is a security risk. Additionally, under Standard §164.308(a)(1)(i) covered bodies are required to “implement procedures to prevent security incidents including software updates and patch management.”

Security patches will continue to be issued for the IE11 and future versions. Security vulnerabilities found by Microsoft to affect IE11 will be patched, but many of those dangers will also exist in IE10 and below.

To take advantage of this, a hacker would simply need to wait until the next IE11 patch is released and look at the vulnerabilities that have been addressed. Those aspects of the software could potentially be exploited in earlier versions of the Internet Browser. Since there is a real danger of these security vulnerabilities being exploited and used to download malware to healthcare computers running earlier versions of Internet Explorer, an upgrade to IE11 or Microsoft Edge would be necessary to remain compliant with HIPAA.

Covered bodies that fail to update software, install patches in a timely fashion, and those who do not have a patch management policy in place could well face action from Office for Civil Rights, as Anchorage Community Mental Health Services found. OCR fined ACMHS $150,000 in 2014 for a data breach experienced as a result of malware being installed on its computer network.

ACMHS had been running old software and had failed to install security patches. Installation of those patches would have stopped the malware infection and would have protected the privacy of 2,743 individuals.

Addressing security dangers such as upgrading and patching software is a basic security function. According to a statement released by Jocelyn Samuels, Director of OCR, on announcement of the HIPAA settlement, [HIPAA-Compliance] includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”