locked
Is IE 8 considered HIPAA compliant RRS feed

  • Question

  • We are having a debate about whether or not IE 8 is considered HIPAA compliant.  I know in order to remain HIPAA compliant, you much continue to provide security updates in order to stop vulnerabilities with the application.  So if Microsoft stops issuing updates for IE 8, would that not mean that IE 8 is no longer HIPAA compliant?

    I'm trying to move forward with IE 10 as I believe it will provide the functionality I need, but first have to back up my argument about HIPAA compliance. 

    I have searched but have come up empty on this, at least definitively. 

    The Life Cycle page for IE says "Releases known as Components follow the Support Lifecycle of their parent Major Product."

    So, I am wondering, since Windows 7 shipped with IE8 as the installed version,  the parent would presumably be Windows 7, which would make IE8's support lifecycle the same, correct?

    Thanks

    Tuesday, November 19, 2013 4:45 PM

Answers

  • Hi,

    the major web players all have a 3 versions policy for web browser support.

    that is they will support the last 3 versions of browsers from vendors. this covers more than 70% of web traffic/visitation and use.

    IE9 and onwards have security features that hinder or prevent modern attack vectors.

    If you upgrade to IE9 or higher you can still have legacy web application support (IE Compatibility view), but still have the superior security features of IE9 and above.

    there is absolutely no reason to upgrade to IE11 on Windows7 since it still supports legacy and proprietary MSIE features.

    'Support' for MSIE browsers is provided in security updates through windows updates, only... (kill bits and occasionally module updates). In turn support for operating system versions is through windows updates.... the EOL support for  XP means that MS will no longer issue WU for that OS....

    Your C/B argument could be along the lines that the latest version available still supports legacy applications (minimal migration costs), but has the latest security enhancements and future web (html5) capabilities. If your upgrade path includes utilization of cloud technologies then latest version of IE will suffice. IE8 is and will remain DOM3 non-compliant.

    Realistically, on Vista and Windows7 your minimal IE version should be 9. Optionally win7 can be upgraded to v10 and 11.

    It is not so much a question of browser vendor support, but rather web content provider support for legacy browser versions.


    Rob^_^

    • Marked as answer by Cloud_TS Sunday, December 8, 2013 5:32 PM
    Wednesday, November 20, 2013 2:31 AM

All replies

  • Hi,

    the major web players all have a 3 versions policy for web browser support.

    that is they will support the last 3 versions of browsers from vendors. this covers more than 70% of web traffic/visitation and use.

    IE9 and onwards have security features that hinder or prevent modern attack vectors.

    If you upgrade to IE9 or higher you can still have legacy web application support (IE Compatibility view), but still have the superior security features of IE9 and above.

    there is absolutely no reason to upgrade to IE11 on Windows7 since it still supports legacy and proprietary MSIE features.

    'Support' for MSIE browsers is provided in security updates through windows updates, only... (kill bits and occasionally module updates). In turn support for operating system versions is through windows updates.... the EOL support for  XP means that MS will no longer issue WU for that OS....

    Your C/B argument could be along the lines that the latest version available still supports legacy applications (minimal migration costs), but has the latest security enhancements and future web (html5) capabilities. If your upgrade path includes utilization of cloud technologies then latest version of IE will suffice. IE8 is and will remain DOM3 non-compliant.

    Realistically, on Vista and Windows7 your minimal IE version should be 9. Optionally win7 can be upgraded to v10 and 11.

    It is not so much a question of browser vendor support, but rather web content provider support for legacy browser versions.


    Rob^_^

    • Marked as answer by Cloud_TS Sunday, December 8, 2013 5:32 PM
    Wednesday, November 20, 2013 2:31 AM
  • The thing about IE9 is that it's so locked down you have limited control over it, especially when it comes to ActiveX plugins that aren't on MS certified lists (or however they do it).  So it's extremely tricky to get things to work seamlessly (without user interaction -- heaven forbid users have to click an extra time or two), especially through TS/Citrix environments.

    I believe the flexibility of IE10 will allow me to make the user environment/experience, although I still have more testing to do. 

    It's a hard argument with App Developers to try and force them to certify and test on IE10 when they feel IE 8 works just fine, and they think they have better things to do.

    HIPAA is tough because it leaves a lot of things up to interpretation.  I wish I could just find that definitive info from MS so there would be no need to have to argue my interpretation.

    Thanks for the info and feedback, guys.  I do greatly appreciate it.

    BR

    Wednesday, November 20, 2013 5:01 PM
  • Some time has passed since this was asked - but since I found it as a top 5 search link from Google I thought I should post this.

    As of Jan 11th 2016 the HIPAA journal website posted this:

    Use of Internet Explorer 10 and Below Will be a Violation of HIPAA Rules / HIPAA-Covered Entities Have Been Fined for Failing to Install Software Patches/Upgrades

    http://www.hipaajournal.com/upgrade-internet-explorer-to-remain-hipaa-compliant-8259/



    • Edited by Joe Vago Thursday, March 31, 2016 2:37 PM
    Thursday, March 31, 2016 2:37 PM