Microsoft's decision to end technical support for Windows XP effective April 8, 2014, could expose healthcare practitioners whose computers continue to use it to potential liability under HIPAA. Some computer consultants and industry commentators have claimed that simply using XP is now an "automatic HIPAA violation."
After 12 years, Microsoft has decided to no longer issue periodic security updates and patches for XP to protect users from potential infiltration by newly developed viruses and other security risks. If a computer running XP and containing patients' protected health information (PHI) is connected to the Internet, that PHI could potentially be accessed through the use of malicious software that XP is unable to block. Some who are urging practitioners to immediately replace their old computers cite Microsoft's End of Support notice, which states, "Businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements."
The End of Support notice, however, goes on to refer to the Department of Health and Human Services' FAQ on operating system requirements under the HIPAA Security Rule, which is reprinted in its entirety below. As the HHS answer states, all HIPAA covered entities and business associates should be certain that their required security risk analysis includes a review of potential vulnerabilities of their computer network, including the continued use of an unsupported operating system.
Replacing old Windows XP computers is undoubtedly a good idea for those who use and store PHI, but a failure to do so immediately will not constitute the "automatic HIPAA violation" that some claim. As numerous recent HIPAA settlements have shown, however, a failure to conduct a thorough risk analysis can result in the imposition of higher penalties in the event of a data breach, and it is clear that a proper risk analysis must include an assessment of the potential vulnerabilities of the Windows XP operating system, if applicable. The use of the newly released HHS HIPAA Risk Assessment Tool, as discussed here, is strongly recommended.
The HHS FAQ reads as follows:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity's risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Susan Huntington authored a chapter, "Enterprise Risk Approach to Successful Population Management," in the recently published third edition of the "Enterprise Risk Management Handbook for Health Care Entities."
Kathy Lawler, Susan Huntington and Erin Healy wrote an article, "Risks for Employers using Drug Import Companies to Manage Costs," for AHLA Weekly.
Theresa Kelly and Howard Fetner wrote an article, "AARP Lawsuit Puts EEOC In An Awkward Position," for Law360.
Jed Davis authored the article, "Cybersecurity for the Under-Resourced" for Bloomberg BNA.
Eric Fader was quoted in an article, "Providers Get More Time to Report Electronic Health Record Data," published in Bloomberg BNA's Health Care Daily Report.
Eric Fader was quoted in an article, "HHS Pact Shows Data Breach Reporting Can't Fall Off Radar," published in Law360.
Eric Fader's comments appeared in an article, "Delayed Breach Notice Costs Illinois Health System," published in Bloomberg BNA's Privacy Law Watch.
Michael Furey was quoted in an article, "Barnabas, Hackensack Meridian Execs to be deposed in Omnia suit, judge rules," NJBIZ.
Eric Fader was quoted in an article, "Outlook 2017: ACA Repeal Dominates Health Policy Predictions," published in Bloomberg BNA's Health Insurance Report.