Dept. of HHS May Require You to Upgrade
Ubuntu 14.04 “Trusty Tahr” is reaching it’s End of Life for long-term maintenance on April 30th, 2019. This means that beginning in May, your Trusty Tahr server will no longer be eligible to receive critical security updates without purchasing Extended Security Maintenance (ESM) form Ubuntu at a pricetag of roughly $2500. https://buy.ubuntu.com/
We recommend all users of Ubuntu servers 14.04 and below plan now to perform an upgrade to Ubuntu 18.04.
HIPAA requires business associates to conduct risk analyses, then mitigate risks identified during a risk analysis. Unpatched software is obviously a risk and OCR says the mitigation requirement applies to patching as follows:
This includes identifying and mitigating risks and vulnerabilities that unpatched software poses to an organization’s ePHI. Mitigation activities could include installing patches if patches are available and patching is reasonable and appropriate. In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching as a mitigation solution, entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level (e.g., restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access)
Read more on HHS’s website:
The Mi-Squared Team