The Windows-using world (or at least the XP-using part), got thrown into turmoil on April 8 of this year. As of that date, Microsoft ended support of its XP operating system. This meant a headache for most users, but for healthcare entities in particular, it meant that huge amounts of PHI (protected health information) was now likely unprotected.
For users who were still on XP, this means they’ve had to make choices. Some have decided to simply upgrade to operating systems that are still serviced by Microsoft. For those who’ve decide to remain with XP, they’re faced with some unpleasant realities in the face of an environment where PHI is becoming more and more attractive to cyber-criminals.
One of the primary reasons HIPAA was enacted, was to protect the safety of patient information. The security rule though, does not provide minimum requirements for operating systems. That said, HHS is relatively clear on the matter.
“…as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).”
If there is a data breach, an entity’s preparedness (which includes monitoring of OS weaknesses), will likely be taken into consideration.
Some voices have taken an even more hard-lined stance on the issue. Mac McMillan, CEO & Co-Founder of CynergisTek has been quoted as saying that OCR definitely considers non-upgraded systems as non-compliant. “Windows XP is definitely an issue. In fact, OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified. Unsupported systems by definition are insecure and pose a risk not only to the data they hold, but the network they reside on as well.”
Consultants are recommending that even if your healthcare clients’ computer doesn’t actually touch the Internet, that it eventually be upgraded from XP (to Window’s 7 or better, and Server 2008 R2 or better on the server side, according to Derek Wlodarz). A computer’s level of access to networks and the Internet will not be an excuse in the case of a breach. This upgrade may be a problem for many entities though, because many smaller healthcare applications still run on XP only.
All of the complexity around XP’s end of life, is being touted by some as yet another reason for your clients to consider a move directly to cloud computing, which will eliminate the question of upgrades and obsolescence.
Microsoft provides information in their End of Support center that could help you present the facts to your healthcare clients … and brace yourselves, Microsoft is ending support of Vista in 2017.