Microsoft's decision to end technical support for Windows XP effective April 8, 2014, could expose healthcare practitioners whose computers continue to use it to potential liability under HIPAA. Some computer consultants and industry commentators have claimed that simply using XP is now an "automatic HIPAA violation."
After 12 years, Microsoft has decided to no longer issue periodic security updates and patches for XP to protect users from potential infiltration by newly developed viruses and other security risks. If a computer running XP and containing patients' protected health information (PHI) is connected to the Internet, that PHI could potentially be accessed through the use of malicious software that XP is unable to block. Some who are urging practitioners to immediately replace their old computers cite Microsoft's End of Support notice, which states, "Businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements."
The End of Support notice, however, goes on to refer to the Department of Health and Human Services' FAQ on operating system requirements under the HIPAA Security Rule, which is reprinted in its entirety below. As the HHS answer states, all HIPAA covered entities and business associates should be certain that their required security risk analysis includes a review of potential vulnerabilities of their computer network, including the continued use of an unsupported operating system.
Replacing old Windows XP computers is undoubtedly a good idea for those who use and store PHI, but a failure to do so immediately will not constitute the "automatic HIPAA violation" that some claim. As numerous recent HIPAA settlements have shown, however, a failure to conduct a thorough risk analysis can result in the imposition of higher penalties in the event of a data breach, and it is clear that a proper risk analysis must include an assessment of the potential vulnerabilities of the Windows XP operating system, if applicable. The use of the newly released HHS HIPAA Risk Assessment Tool, as discussed here, is strongly recommended.
The HHS FAQ reads as follows:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity's risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
Last Thursday, Senate Republicans unveiled the Better Care Reconciliation Act of 2017, a bill that, if enacted, would make sweeping changes to the current system of federal healthcare taxes and subsidies under the Affordable Care Act (ACA).
Eric Fader authored a chapter in the 2017 edition of Westlaw's "Data Security and Privacy Law" treatise, published by Thomson Reuters.
Steven A. Cash, Benjamin H. Nissim and David Forscey, policy analyst for the Homeland Security & Public Safety Division of the National Governors Association, co-authored an article, "Cybersecurity Is The Next Frontier Of State Regulation," for Law360.
On March 15, Eric Fader will be presenting a live webinar, "Navigating Legal Issues in Neuromonitoring," for The American Society of Neurophysiological Monitoring (ASNM).
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Eric Fader was quoted in an article, "HHS Offers Health-Care Companies Cyberattack Response Checklist," published in Bloomberg BNA's Privacy Law Watch.
Eric Fader was quoted in an article, "Does the Health-Care Industry Have a Handle on Cybersecurity?," published in Bloomberg BNA's Health Care Blog.
Eric Fader was quoted in an article, "Blue Cross Exec Tests HIPAA By Describing $12M Patient," published in Law360.
Day Pitney Press Release
Eric Fader was quoted in an article, "Trump Budget Anticipates Spending, Net Savings From Fighting Health Fraud," in Bloomberg BNA's Health Care Fraud Report.