HIPAA: Get off Windows XP Now! Seriously!

Ok, HEALTHCARE world, you have GOT to get with the program and MOVE forward.  We continue to go into healthcare providers of all kinds; hospitals, clinics, doctors, dentist, optometrist, dermatologist, etc and find these old, slow, archaic systems running Windows XP.  Here are a few reasons why you should PULL THE PLUG on Windows XP.

Reasons to part ways with Windows XP

1. No longer officially supported by Microsoft. If you want any support, be prepared to open your wallet in a big way.
2. Has known vulnerabilities that have NOT been patched.  See 1. above.
3. Known security deficiencies that are not compliant to current standards.
4. XP will not pass the NIST HIPAA compliance test which is the basis for a compliant risk assessment.
5. The U.S. Government has made it clear stating XP is NOT a safe operating system.
6. To say the HHS OCR will “frown” on using XP in your healthcare business is a slight understatement. What come to mind is more like “big fine”!

Yes, we know, that Windows XP is NOT in and of itself a HIPAA violation.  However, it will NOT pass the HIPAA compliance tests specified by NIST, so that’s a pretty flimsy excuse if your patient’s ePHI is stolen.

The California Dental Association has a good article on this and explains it well.

The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer). (Source)

Takeaways

1. If you’re still using XP, you probably have other much larger security issues you need to address.
2. Migrate to a current supported and more secure operating system now.  You’ll sleep a little better at night knowing your business and patients are better protected.