Are Windows Server Platforms HIPAA Compliant?
By Gil Vidals, , HIPAA Blog, Resources

Mission-critical servers are valued for their longevity, and Windows is no exception. As a closed-source technology, Windows Server platforms typically have a long life-cycle, in part, because the training and manuals for the tools are proprietary, just like the software.

But similar to the Windows desktop distributions (XP, Vista, 7, 8,8.1, & 10), the Windows Server architectures can be problematic for HIPAA compliance. Yet with diligent care, a computer running Windows Server can comply with all aspects of HIPAA, and become an acceptable server on which protected health information (PHI) can reside.

Just like the desktop versions, Windows Server has had several different releases. The 2003 version, with its advanced, semi-automated testing for bugs (known as PREfast), and features like enhanced Active Directory compatibility and better deployment support, remained popular until it was removed from support in July 2015.

In time, Windows Server 2012 came to be preferred for its many enhancements, including greater flexibility with virtualized environments. Version 2012’s improved security features included granular password policies, Dynamic Access Control, AppLocker, BitLocker, and advanced security auditing.

Presently, version 2016 is reflecting current trends by offering the ability to isolate applications through containerization. Docker-based applications have the added flexibility of running on both Windows and Linux, allowing greater portability. Security is also enhanced, due to the container’s isolation from other applications and from potentially malicious code. Nested virtualization (essentially, the ability for a virtual machine to host virtual machines) is also a new feature in version 2016, as well as the ability to add virtual hardware while VMs are still online and running.

Protecting PHI

Servers are mines of PHI information, and to prevent them from being compromised, upgrades should be treated as a critical priority. Unfortunately, many IT professionals are wary of performing the necessary upgrades to remain compliant. But while upgrading can be inconvenient (and often is), leaving a hole can be a gateway to a HIPAA violation.

Upgrading from older versions of Windows Server need not be a scary proposition, however, as server distributions are designed with upgrades in mind. Many, if not all, applications have guidelines on moving to the newest incarnation of the platform.

It is generally a good idea to use the latest and greatest (or the latest and most stable) tool from a particular vendor in order to stretch the amount of time it will be supported. Adopting a newer tool early is always a better option than waiting until one is forced to do so when faced with a breach of HIPAA.

Though some believe that running behind a firewall or with a strong antivirus solution may mitigate the risk of a HIPAA violation, the fact of the matter is that even if known threats are protected against, exploits will continue to be published for older server versions – and they will not be patched.


The HIPAA Security Rule calls for guarding against, detecting, and reporting malicious software. For Windows Server, upgrading to the latest version is critical to help maintain compliance. Having the assistance of a set of dedicated IT professionals to manage your services and software can help.

HIPAA Vault’s HIPAA Cloud plan for Microsoft Windows provides you the latest security updates, taking the burden of concern off your shoulders while protecting your EMR (electronic medical record) data with minimal client-side effort. Your virtual machines are hosted in a compliant data center, with ongoing, flexible resource allocation, and the 24/7/365 support you need to meet all HIPAA compliance requirements.

For more information, see HIPAA Vault HIPAA Cloud Startup with Windows