Monday, Feb. 24th 2014

Windows XP soon no longer HIPAA compliant

        The days of Windows XP in the healthcare industry are now numbered. As of April 8, 2014 Microsoft will stop developing and putting out security and enhancement patches for Windows XP, and the same support for Windows Server 2003 will end July of 2015. This will effectively make any health care organization using these operating systems to become non-HIPAA compliant after their respective dates. What makes this a violation is that HIPAA requires patient information be protected with system patches and updates.

        Actually, mainstream Microsoft support for Windows XP ended in April 2009. Since then there have been only critical security updates. After the 2014 deadline, Microsoft will not support XP at all (including IT support via online and phone), and even your IT provider won’t be able to fix many problems that may crop up. Eventually, all those little fixes here and there won’t be sufficient.

        Mac McMillan, CEO & Co-Founder of CynergisTek, had this to say when consulted what the HIPAA implications were for those who aren’t able to move off Windows XP before April 8:

 “Windows XP is definitely an issue. In fact, OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified. Unsupported systems by definition are insecure and pose a risk not only to the data they hold, but the network they reside on as well. Unfortunately, while the risk they pose is black and white, replacing them is not always that simple. For smaller organizations the cost of refreshing technology as often as it goes out of service can be a real challenge. And then there are those legacy applications that require an older version to operate properly..”

        Non-compliance is a twofold problem. First, it exposes organizations to liabilities and possible large fines. And secondly, it also denies meaningful use monies and incentives. Offices need to upgrade software and hardware to keep from being fined for violations, as just having one Windows XP computer on your network will be an automatic HIPPA violation. Although upgrading old systems may sound like an expensive proposition, the cost of doing nothing could be more.

        Some of your Windows XP computers may be managing diagnostic or special purpose devices, and are not managed as part of your office network. Don’t let these hide from you as you replace your office systems. They all need to go. Many diagnostics tools from imaging to dental to ophthalmologic devices have dedicated Windows XP computers that came with the device and are supported by that vendor. Talk to the vendor now. Hospitals may have Windows XP computers connected to point-of-sale systems in Admissions, the billing office, cafeterias, and gift shops. IT personnel should be consulted on what hardware to purchase that would work best with the new software being upgraded to. Business-class OS (operating system) with secure access, professional versions of software, and having the network set up to back up all data are needed.

        Encryption should be on all devices.  Encryption was not in Windows XP but is now included in some business-class versions of Windows. It can also be purchased separately from vendors like WinMagic, Symantec, and McAfee/Intel Security. Encryption should be installed on every computer that stores any patient data, including servers, desktops, laptops, and portable devices. Encryption not only protects data at a high level than passwords, it exempts you from reporting a lost or stolen device. Considering the recent $1.5 million fine for a lost laptop, $1.7 million fine for a lost hard drive, and $150,000 fine for a lot thumb drive, encryption is your cheapest insurance against a reportable data breach.

        Time is limited. Less than 12 weeks to upgrade Windows XP software/hardware. Addressing XP and Server 2003 issues will not only make your practice more functional, secure, and keep your HIPAA compliance, it will also remove you as a giant target for hackers. Cyber criminals will find those systems still running Windows XP and Server 2003 much easier prey.

Leave a Reply