End-of-life software can land HIPAA violations and penalties

The nature of software and services those apps will eventually take advantage of updates or newer versions. The reasons for this are twofold: to maintain updated security and to provide the best possible services to its user base.

Back in the day, software and programs were typically a one-time purchase. If you wanted, say, Microsoft Office, you would buy one of the programs – or all – for a single, if not pricey, purchase. Today, providers have various options for more affordable tiers, known as SaaS (software as a service). That assures users can access all the programs they want for a monthly or annual subscription.

However, not everything runs on this model. Legacy infrastructure and older programs don’t come equipped with this option. Additionally, those older programs are often no longer supported by their publishers. This discontinuation is also referred to as “end of life,” a normal trajectory for software, apps, and services. Normally, this is nothing to worry about. But in a professional – especially medical – environment, that runs serious risk of violating HIPAA regulations.

Today, this is especially significant. Maintaining the latest versions isn’t just about speed and service, it’s a matter of safety. Today, we live in a threat climate littered with ransomware, phishing schema, and malware attacks. Many of those attacks rely on sniffing out older software and systems to exploit. An older, unsupported operating system for example won’t utilize the latest patches to protect against threat actors.

For that reason, using “end of life” software violates HIPAA and can incite other regulatory penalties.

Am I using EoL services?

For the most part, companies and people don’t use EoL software for malicious purposes. The reasons may be related to cost, comfort and familiarity, or inability to upgrade. But regardless, using them is still dangerous, while simultaneously risking a federal penalty.

So, it’s important to check over what services and apps you implement in your medical network. Some are required to run the latest version from their respective publisher, such as operating systems. As a quick note, a majority of mainstream software must be running the latest version. If you take advantage of SaaS, they’re automatically updated.

But forming a checklist of potentially outdated software is important. Not all practices use the same software, and some even utilize custom in-house apps. The difference is, what is required to be updated and what is not.

• Does the software/app in question store critical data and patient info?
•  Is the service an operating system or manages important security options?
•  Does the app or software maintain network connectivity, or require it?

You’ll notice a pattern related to network connectivity or data storage. Those are key elements of software that need to be updated. If they reach EOL status, it’s important to update, find alternatives, or retire the app in question.

Is Dragon Medical One HIPAA Compliant?

Dragon Medical One is a medical dictation SaaS receiving regular updates; is fully supported; and follows the same rules for updates and regulatory compliance. Following said regulations, you should be aware that Nuance Dragon Medical Practice Edition 4 reached EOL as of March 31st, 2021. If you are still running this outdated version, you should upgrade to Dragon Medical One as soon as possible.

The OCR has investigated over 100,000 complaints related to HIPAA since the 2003 HIPAA Privacy Rule and has acted on 281,0222 cases, or over ninety percent. In other words, they do investigate complaints or violations and will act on them.

In short, our dictation software is always running the latest in compliance with HIPAA, as you should with your medical network infrastructure.