On April 8, 2014, Microsoft stopped providing patches and updates to the Windows XP operating system. While this seems like old news and a bit crazy to talk about – many healthcare organizations are still using Windows XP operating systems. In discussing this issue with many healthcare organizations – one of the most common issues is that they are using a software that is unable to migrate to new versions of Windows and is needed for day to day patient care. The vendors that support these software systems are aware; however, have not taken action to move the software to a newer windows platform.
So they’re not providing updates – what does that actually mean? With no updates being provided – there will be no new security updates, non-security hot fixes, free or paid assisted support options, or online technical content updates to the operating system. This leaves the system vulnerable to an attack from the outside. There has been a lot of documentation and confusion on what needs to be done in order to protect information stored on computers that have not migrated off of Windows XP. In addition, there have been many articles have been published that are stating that if organizations didn’t migrate off of the Windows XP Platform by 4/8/14, providers will not be eligible for Meaningful Use and will not be HIPAA Compliant. Fact or Truth?
Fact: You are not technically in violation of HIPAA if you use Windows XP as HIPAA doesn’t mandate any specific software system; HOWEVER, the practice is extremely risky and you could be found of out compliance if a data breach was to occur.
The HIPAA Security Requirement 164.308(a)(5)(ii)(B) is an addressable standard that states that an organization must have “policies and procedures for guarding against, detecting, and reporting malicious software.” Malicious software can be brought through any program usually in the form of a virus, Trojan horse, or worm. By not having the ability to add security patches into the operating system of Windows XP, there are risks to the organization and data that the organization keeps and maintains – good documentation of other safeguards that exist to protect that computer MUST be implemented and documented if choosing to run on the Windows XP operating system.
It is also important to note nowhere in the meaningful use requirements or the HIPAA requirements does it specify having to be on a specific software platform or operating system. Here is an example FAQ from HHS for clarification regarding operating systems requirements under HIPAA – no specific operating system must be used! http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html
Still Using XP – What you should be doing now:
- Evaluate and determine how to migrate from Windows XP to an updated operating system as soon as possible.
- If vendor is only running on XP – work with them and continue to push them to update the software due to risks of the old system and lack of security patches.
- Conduct your HIPAA risk assessment to determine if your organization’s systems are still operating on Windows XP and what risks exist.
- Come up with a detailed risk management process if your organization is still running on Windows XP, including information on how to reduce risk until you migrate from the Windows XP system.
- Evaluate everything – There is not ‘formal’ documentation from HHS, ONC, or the OCR regarding this measure and how to interpret from a meaningful use and HIPAA aspect.
- Assure that you document Windows XP as a risk to your organization within the risk assessment/mitigation as well as potential impacts from malware, viruses, & hackers.
- If questions come up, ask for clarification or assistance.
As of July 14, 2015, Microsoft will stop providing updates and support to any versions of Windows Server 2003 – leaving organizations with a challenge of upgrading and/or migrating to a new server software. If you are still running on Microsoft 2003, it is time to take steps now to execute a proper migration strategy and protect your patient information.
Final note: Running any type of organization where protected health information is involved and there are not adequate and regular security patches being implemented is a risky practice and could expose an organization to a data breach. From the eyes of a security professional – the risk isn’t worth a large scale breach of information. It is time to take action now and get rid of old software platforms that are no longer being updated and supported.