Skip to main content
Toggle Menu of ADA WebSites
ADA Websites
Partnerships and Commissions
Toggle Search Area
Toggle Menu
e-mail Print Share

Upgrade Windows Server 2003 operating system to avoid possible HIPAA violations

January 20, 2015

By Kelly Soderlund

Microsoft will stop providing support for Windows Server 2003 on July 14 and dental practices that don’t upgrade their operating systems may compromise their patients’ protected health information.

Microsoft will no longer provide updates, bug fixes or technical support for Windows Server 2003, which is an operating system that runs on server computers that store and exchange information with computers within a network. Dental offices that are covered under the Health Insurance Portability and Accountability Act should plan for this change so that patients’ protected health information is not compromised.

When Microsoft stops supporting this operating system, all of the information stored on it becomes at risk for security issues, according to experts serving on the ADA Standards Committee on Dental Informatics. After July 14, if a dental practice has a security incident while still using Windows Server 2003, there’s a greater chance the dental practice may be found in violation of HIPAA Security requirements. This is especially true if the dental practice has no documented risk analysis, insufficient security management processes, plans to migrate to a supported operating system or is unable to demonstrate the steps that were taken to mitigate risks associated with this operating system sunset.

The SCDI recommends that dental practices that are HIPAA-covered health care providers start migrating their information over to a new operating system, such as Windows Server 2012 or 2008, before this sunset date. They’ll also need to document the process as part of their ongoing HIPAA compliance efforts.

Unsupported operating systems pose more risk to patients’ protected health information because they are more vulnerable to malware and hacking attempts when they are exposed to the Internet or an office network that is not completely secured. In addition, if the server crashes and there is a problem with the backup information, Microsoft would not be available to help the dental practice recover the data.

The HIPAA Security Rule does not prescribe specific technology or prohibit the use of Windows Server 2003. But its requirements for risk analysis and security management processes compel covered dental practices to engage with, and plan for, this transition or risk potential civil monetary penalties.

Dental practices that use Windows Server 2003 will need to make sure they account for risks, threats and vulnerabilities posed by the product sunset in their risk analyses, implement sufficient safeguards and ensure their documentatioin is complete and kept up to date.

Dental practices that must also replace server hardware should follow the recommended best practices from the National Institute for Standards Technology when disposing of old server equipment or anything that stored protected health information. Dentists can also consult with their computer service provider to see if they offer hard drive sanitation service.

For more information from Microsoft on this change, visit