Microsoft's decision to end technical support for Windows XP effective April 8, 2014, could expose healthcare practitioners whose computers continue to use it to potential liability under HIPAA. Some computer consultants and industry commentators have claimed that simply using XP is now an "automatic HIPAA violation."
After 12 years, Microsoft has decided to no longer issue periodic security updates and patches for XP to protect users from potential infiltration by newly developed viruses and other security risks. If a computer running XP and containing patients' protected health information (PHI) is connected to the Internet, that PHI could potentially be accessed through the use of malicious software that XP is unable to block. Some who are urging practitioners to immediately replace their old computers cite Microsoft's End of Support notice, which states, "Businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements."
The End of Support notice, however, goes on to refer to the Department of Health and Human Services' FAQ on operating system requirements under the HIPAA Security Rule, which is reprinted in its entirety below. As the HHS answer states, all HIPAA covered entities and business associates should be certain that their required security risk analysis includes a review of potential vulnerabilities of their computer network, including the continued use of an unsupported operating system.
Replacing old Windows XP computers is undoubtedly a good idea for those who use and store PHI, but a failure to do so immediately will not constitute the "automatic HIPAA violation" that some claim. As numerous recent HIPAA settlements have shown, however, a failure to conduct a thorough risk analysis can result in the imposition of higher penalties in the event of a data breach, and it is clear that a proper risk analysis must include an assessment of the potential vulnerabilities of the Windows XP operating system, if applicable. The use of the newly released HHS HIPAA Risk Assessment Tool, as discussed here, is strongly recommended.
The HHS FAQ reads as follows:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity's risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Theresa Kelly and Howard Fetner wrote an article, "AARP Lawsuit Puts EEOC In An Awkward Position," for Law360.
Jed Davis authored the article, "Cybersecurity for the Under-Resourced" for Bloomberg BNA.
On November 2, Susan Huntington and Eric Fader will be speaking at a webinar jointly sponsored by Day Pitney and Wolf & Co. "Business Associates Are Under a Microscope - Are You Prepared?"
On August 30, Susan Huntington was a speaker in the webcast "Medical Devices in Hospital Networks: Mitigating Risk in 2016" hosted by the Knowledge Group.
Eric Fader was quoted in an article, "Trump may maintain support for health IT, cut funds for HIPAA audits," in McKnight's Long Term Care News.
Eric Fader was quoted in an article, "Incoming Trump Administration May Mean Less Funding for HIPAA Audits," in Bloomberg BNA’s Health Care Fraud Report.
Eric Fader was quoted in an article, "Prior Defects Could Sink Auvi-Q Even As EpiPen Prices Soar," in Law360. In the article, Fader points out that with lawmakers and consumers calling for a competitor to challenge Mylan NV in the aftermath of the drugmaker's EpiPen price increases, potential competitor Kaléo Pharma has a "golden opportunity" with its updated version of the Auvi-Q epinephrine injector.
Eric Fader was quoted in an article, "Omnicare to Pay $28M to Settle Kickback Allegations," in Bloomberg BNA's Pharmaceutical Law & Industry Report. The article discusses the $28 million settlement that Omnicare reached with the U.S. Department of Justice to resolve claims that it accepted kickbacks from Abbott Laboratories to induce Omnicare to order one of Abbott's drugs.
Eric Fader was quoted in an article, "Medicare Still Making Improper Payments on Behalf of Prisoners," in Bloomberg BNA's Health Care Daily Report. In the article, Fader discusses a government report that says that Medicare made about $34 million in improper payments to providers on behalf of prisoners in 2013 and 2014.