Microsoft's decision to end technical support for Windows XP effective April 8 could expose healthcare practitioners whose computers continue to use it to potential liability under HIPAA. Some computer consultants and industry commentators have claimed that simply using XP is now an "automatic HIPAA violation."
After 12 years, Microsoft has determined to no longer issue
periodic security updates and patches for XP to protect users from
potential infiltration by newly developed viruses and other
security risks. If a computer running XP that contains
patients' protected health information (PHI) is connected to
the internet, that PHI could potentially be accessed through the
use of malicious software that XP is unable to block. Some who are
urging practitioners to immediately replace their old computers
cite Microsoft's "End Of Support" notice which stated, "Businesses that are
governed by regulatory obligations such as HIPAA may find that they
are no longer able to satisfy compliance requirements."
The "End Of Support" notice, however, goes on to refer
to the Department of Health and Human Services' FAQ on operating system requirements under the
HIPAA Security Rule, which is reprinted in its entirety below. As
HHS's answer states, all HIPAA covered entities and business
associates should be certain that their required security risk
analysis includes a review of potential vulnerabilities of their
computer network, including the continued use of an unsupported
operating system.
Replacing old Windows XP computers is undoubtedly a good idea for
those who use and store PHI, but a failure to do so immediately
will not constitute the "automatic HIPAA violation" that
some claim. As numerous recent HIPAA settlements have shown,
however, a failure to conduct a thorough risk analysis can result
in the imposition of higher penalties in the event of a data
breach, and it is clear that a proper risk analysis must include an
assessment of the potential vulnerabilities of the Windows XP
operating system, if applicable. The use of HHS's newly
released HIPAA Risk Assessment Tool, as discussed here,
is strongly recommended.
HHS's FAQ reads as follows:
Does the Security Rule mandate minimum operating system
requirements for the personal computer systems used by a covered
entity?
Answer:
No. The Security Rule was written to allow flexibility
for covered entities to implement security measures that best fit
their organizational needs. The Security Rule does not specify
minimum requirements for personal computer operating systems, but
it does mandate requirements for information systems that contain
electronic protected health information (e-PHI). Therefore, as part
of the information system, the security capabilities of the
operating system may be used to comply with technical safeguards
standards and implementation specifications such as audit controls,
unique user identification, integrity, person or entity
authentication, or transmission security. Additionally, any known
security vulnerabilities of an operating system should be
considered in the covered entity's risk analysis (e.g., does an
operating system include known vulnerabilities for which a security
patch is unavailable, e.g., because the operating system is no
longer supported by its manufacturer).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.