WOOF! Newsletter

March 25, 2014

Does Using XP after April 8 Force Healthcare Organizations Out of HIPAA Compliance?

If you're a healthcare organization (and thus subject to HIPAA regulations), it's said that using Windows XP after the April 8 deadline will immediately push you out of HIPAA compliance. Is this really true? There are situations where it is. Read this month's WOOF to find out what you can (and should) do about it.
If you plan to run XP after its end of life on April 8, you’re taking a risk with your network’s security. If your network’s security isn’t enough reason to upgrade, what about HIPAA compliance?

Staying compliant with HIPAA is critical for healthcare providers and the organizations that support them. Yet a popular belief about using Windows XP after April, is that a healthcare business or nonprofit – any entity that must maintain HIPAA compliance – would immediately be out of compliance.

(This also applies to using Office 2003.)

Citations of the issue are common on the Web:
No HIPAA or Meaningful Use Compliance with Windows XP – HiTech Answers
Running Windows XP Means You Are Non-Compliant and Open to Liability – TechRepublic
5 Big Myths Surrounding Computer Security and HIPAA Compliance – BetaNews
8 Reasons You Can’t Be HIPAA Compliant Next April Running Windows XP – Tech Subluxation.com
Clarifying HIPAA’s Impact on Using Windows XP in the Dental Office – CDA

Is this actually true? Does “XP = Automatic HIPAA Fail”?
Not quite—but close.

How Windows XP and HIPAA Compliance are Linked (and Why XP’s Deadline Risks Non-Compliance)

The entire concern over HIPAA compliance stems from what ends on April 8. After that, Microsoft will no longer provide XP users with patches for security vulnerabilities. Therefore, all systems running XP do not meet HIPAA compliance standards for securing patient data.

"The HIPAA Security Rule specifically requires that you protect patient information with system patches and updates." (HiTech Answers)

You can find the specific text of the HIPAA Security Rule here.
[http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html]

While HIPAA does mandate security for patient data, there’s a slight mismatch here. The Security Rule text does not specifically state that an operating system (which XP is) must adhere to certain requirements about how new it is.

The important text, instead, is at the bottom:
"Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer)."
So according to the Security Rule, an organization still running XP could stay within HIPAA compliance - *IF* it implements additional security measures to protect patient data. Covering over any holes XP might have.

While additional security is possible...it's really just a Band-Aid.

What Healthcare Organizations Can (and Should) Do to Maintain HIPAA Compliance

If you're a healthcare services provider, or your business services the healthcare industry, and you still have computers running Windows XP, you have some work to do. Here are options for staying compliant with HIPAA.
  • Disconnect the XP computers from the Internet. This would eliminate the possibility of them being attacked. Unless of course your XP computers need to get online, to connect with an EMR system for example. In which case, try this...
  • Retire the XP computers. Upgrade them to Windows 7 if they're new enough, or replace them with new systems.
  • Switch to cloud hosting. Sounds like a complex ordeal, but not really. Plus this switches the burden of maintaining compliance to the cloud provider (our private cloud service is HIPAA compliant).
  • Switch to a Virtual Desktop Infrastructure (VDI). This essentially means transferring your desktops' operating systems (XP in this case) into a server. The server can then be protected against security vulnerabilities, letting you use XP securely.
  • Check your employees' Office versions. Like we said above, this compliance issue applies to Office 2003, too. You don't want any copies lingering!
  • Upgrade Office 2003 to a newer version. If you find any computers with Office 2003, they should run Office 2010 without any other upgrades. Maybe Office 2013 as well (check first). That will buy you a few years.
We can all agree that securing patient data is critical for everyone in the healthcare industry. Using Windows XP after April 8 may not guarantee you’ll fall out of HIPAA compliance, if you put other security in place around patient data.

That being said, it’s easier just to stop using XP.