Microsoft’s decision to end technical support for Windows XP effective April 8 could expose healthcare practitioners whose computers continue to use it to potential liability under HIPAA. Some computer consultants and industry commentators have claimed that simply using XP is now an "automatic HIPAA violation."
After 12 years, Microsoft has determined to no longer issue periodic security updates and patches for XP to protect users from potential infiltration by newly developed viruses and other security risks. If a computer running XP that contains patients’ protected health information (PHI) is connected to the internet, that PHI could potentially be accessed through the use of malicious software that XP is unable to block. Some who are urging practitioners to immediately replace their old computers cite Microsoft’s "End Of Support" notice which stated, "Businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements."
The "End Of Support" notice, however, goes on to refer to the Department of Health and Human Services’ FAQ on operating system requirements under the HIPAA Security Rule, which is reprinted in its entirety below. As HHS’s answer states, all HIPAA covered entities and business associates should be certain that their required security risk analysis includes a review of potential vulnerabilities of their computer network, including the continued use of an unsupported operating system.
Replacing old Windows XP computers is undoubtedly a good idea for those who use and store PHI, but a failure to do so immediately will not constitute the "automatic HIPAA violation" that some claim. As numerous recent HIPAA settlements have shown, however, a failure to conduct a thorough risk analysis can result in the imposition of higher penalties in the event of a data breach, and it is clear that a proper risk analysis must include an assessment of the potential vulnerabilities of the Windows XP operating system, if applicable. The use of HHS’s newly released HIPAA Risk Assessment Tool, as discussed here, is strongly recommended.
HHS’s FAQ reads as follows:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).