Microsoft recently announced that, after April 8, 2014, it will not longer provide security updates or technical support for Windows XP. Microsoft’s statement that “businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements” has spurred a certain level of panic among health care providers. The threat of non-compliance can seemingly only be met with costly system upgrades and data migration; however, health care providers need not fear instant non-compliance when the clock strikes midnight on April 8th.
To be certain, running Windows XP without security updates or “patches” will open healthcare entities to increased vulnerabilities and potentially to HIPAA violations; however, it’s important to understand exactly what your obligations are under the Security Rule.
The U.S. Department of Health and Human Services provides the following question and answer on its website:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
Answer: No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
Therefore, while covered entities must meet certain requirements for storing e-PHI, simply operating Windows XP past the date of April 8th will not result in an automatic HIPAA violation so long as the covered entity engages in a detailed risk analysis which addresses the known vulnerabilities, the potential effects of such vulnerabilities and includes a plan to address these issues. This is not to say the issue should be ignored, simply that smaller eligible providers have time to take a breath, talk to their trusted advisors, and address this issue in a way that best suits their organization.