Windows Server 2008 Critical HIPAA Risk

Windows Server 2008 End of Life is just a few months away. Recent critical security patches lead us to believe that all HIPAA entities running this operating system need to upgrade immediately. Please join us as we consider the recent risks and near future of Windows Server 2008 for HIPAA covered entities.

Windows Server 2008 Risky History

Windows Server 2008 is, like a sinking ship, full of security holes. According to Microsoft’s Update History, there have been 24 security patches in the first eight months of 2019. Compared to the same time in 2017 only 21 patches were released, a 15% increase. There has been a steady increase in the frequency and severity of patches released each month. Windows Server 2008, already in “extended support”, was not built with the fundamental security concepts employed on later versions.

The difference in Server versions is highlighted by this May 2019 bulletin “Microsoft Fixes Critical Remote Desktop Flaw, Blocks Worm Malware”. The application in question here is available on every Windows Server platform but only affected Windows Server 2008 and older.

Security Rules for Risk Assessment

The first article of the HIPAA Administrative Security Rules begins with Risk Assessment and Risk Management §164.308(a)(1) reviews to be conducted regularly. Software developers comply with this by regularly evaluating their product’s security. “End of life” means a software vendor stops all risk assessments for a particular product. Security flaws and vulnerability will be found after the end of life date and will remain unpatched.

Your Practice Management Software vendor fully supports upgrading. While software developers can follow best practices for security, if the operating system is insecure then the dangers are unmitigable. Patterson Dental posted their statements about Windows Server 2008 upgrade for Eaglesoft, and Dentrix thinks updating would be a good idea as well.


Windows Server 2008 dangers are already present and increasing. The Practice Management vendors have updated and will remove support at or near the deadline. The time is now to Contact you hardware technology providers to upgrade before January 14, 2020.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *