HIPAA Compliancy question

[Skylinerecording]

Me and the office manager at a doctors office I handle IT support at have been going back and forth with the managing partner of the practice about why we need to upgrade the server. Am I correct with using the argument that Server 2003 will no longer be HIPAA compliant after end of extended support in 2015. The argument of the server being 9 years old and the fact that they blew a motherboard 4 years ago isn't good enough for him he thinks it's fine to use.. I hoping telling him that the server will no longer be compliant in 2 years will finally allow me to win. I just want to make sure that argument is correct.

 

[Mackintire]

Yes.

 

[Ruoh]

The fact that there will no longer be security patches available, takes it out of HIPPA compliance. Just get 2008 R2 and be done with it. Spend a grand on a small rack mounted Dell server and be done with it.

 

[Skylinerecording]

If only it was that easy to just spend a grand they use a specialized software for there procedure side of the office and before I started with them they got a quote of $25,000 for just that server from the software company and the box they gave the quote to replace is the 2003 box he wants me to use for the whole network. It's a 30 person office and I have been pushing for 2 years to setup a domain. The managing partner is one of those docs that thinks he knows everything about IT and my recommendations are pointless and un-needed. I never saw the quote so I have no idea how massively that was marked up. Just going off of what they have now I'm guessing it was a giant mark up because that price didn't include the price of software, licensing or anything to that extent. The whole quote was closes to 190 grand and that's to run it on a server and 2 computers plus support.

 

[Ruoh]

If that's the route they are heading, I see massive financial losses from either fines for being out of compliance, lawsuits over leaked/stolen data, or physical theft of hardware. I hope they understand that the longer they wait, the more expensive it'll be when they need to bust ass and get everything up to spec in the end.

 

[Meanee]

I am not sure about HIPAA, but in PCI (Payment Card Industry) world, rules are very similar. If your system is not compliant (regular OS updates are required), you will start receiving fines. They can go from some minor amount, up to 100k, plus mandatory audits of all computer systems. So tell them that in a long run, this upgrade is needed, and will save them tons of money in form of fines, headaches, downtimes, etc.

 

[RocketTech]

HIPAA isn't really enforced on smaller practices. It still applies, but enfocement is quite lax. One of my customers has never been inspected in 3+ years.
I faced a similar issue, but the doc was willing to listen. Upgraded his physical server and virtualized everything- easy peasy lemon squeezy.

 

[Ruoh]

Yeah, Meanee's right. PCI can be just as bad. Locked doors for servers containing data, not recording CC#s on calls, not storing CC#s, encryption of data... there's a ton of stuff on that side as well.

 

[Eickst]

PCI can somewhat be mitigated by reducing the amount of in scope systems. But an unsupported OS is not compliant anywhere.