Windows XP and HIPAA
On April 8, 2014, Microsoft is ending security updates and patches for Windows XP.
Just having a Windows XP computer on your network will be an automatic HIPAA violation— which makes you non-compliant with Meaningful Use— and will be a time bomb that could easily cause a reportable and expensive breach of protected patient information. HIPAA fines and loss of Meaningful Use money can far outweigh the expense of replacing your old operating system.
The HIPAA Security Rule specifically requires that you protect patient information with system patches and updates, which will not exist for Windows XP after April 8th. Here are some ideas provided by 4MedApproved’s healthcare IT experts that will help you make the right decisions.
You need to take replacing Windows XP seriously and act quickly. The deadline not only affects health care, but businesses and government agencies. This is likely to result in a shortage of equipment and delays getting replacement systems installed. It may take weeks or months to order equipment and get it installed, after you have gone through your purchasing process.
Getting rid of Windows XP often means replacing both software (XP) and hardware (the computer itself). Consider replacing older desktops with newer laptops, micro PC’s that mount to the backs of monitors, all-in-one computers, thin clients without hard drives, or tablets. Look at the new ways to purchase or ‘rent’ software like word processing, spreadsheets, presentations, online backups, and file sharing. Rather than installing and supporting expensive software programs on every device, you can pay low monthly fees for the latest software through the Cloud, where everything is accessed through the Internet.
Replacing Windows XP lets you comply with both the HIPAA and Meaningful Use requirements that you secure patient data. Whatever computers you decide to buy must include business-class operating systems that include features to secure access and protect data. ‘Home’ operating systems do not have security features that can protect patient data. You must have a professional version of Windows that includes security features and can join a domain. Don’t be delusional and think that all of your protected patient data is in your EHR system. It may be all over your office on individual PCs. Data should not be stored on individual PC’s because it makes it harder to comply with HIPAA and to secure and back up everything. Have a professional IT specialist set up your network so data is always stored on a secure server that is backed up offsite. A network set up with a server as a domain controller will also enable you to comply with HIPAA’s requirements for secure access and retaining access logs for six years.
Some of your Windows XP computers may be managing diagnostic or special purpose devices, and are not managed as part of your office network. Don’t let these hide from you as you replace your office systems. They all need to go. Many diagnostics tools from imaging to dental to ophthalmologic devices have dedicated Windows XP computers that came with the device and are supported by that vendor. Talk to the vendor now. Hospitals may have Windows XP computers connected to point-of-sale systems in Admissions, the billing office, cafeterias, and gift shops.
Encryption was not in Windows XP but is now included in some business-class versions of Windows. It can also be purchased separately from vendors like WinMagic, Symantec, and McAfee/Intel Security. Encryption should be installed on every computer that stores any patient data, including servers, desktops, laptops, and portable devices. Encryption not only protects data at a higher level than passwords, it exempts you from reporting a lost or stolen device. Considering the recent $ 1.5 million fine for a lost laptop, $ 1.7 million fine for a lost hard drive, and $ 150,000 fine for a lot thumb drive, encryption is your cheapest insurance against a reportable data breach.
Refer yourself to a specialist. Talk to an IT professional to determine what will work best for you. Be sure you only consider vendors that will sign HIPAA Business Associate Agreements and validate to you that they comply with HIPAA. (Any breach they cause may ultimately be your responsibility.) The HIPAA and Meaningful Use requirements regarding patient data protection require business-class solutions installed by qualified IT professionals. Devices that include security features must be properly installed, configured, and actively maintained.
This is an abridged version of an article originally published in 4Medapproved’s HIT Security Column. It is republished here with permission of the authors.
and a follow-up article