Windows XP No Longer HIPAA Compliant
HIPAA Compliance Alert
Executive Summary:
Microsoft has announced that they will no longer support or issue security patches to the Windows XP operating system after April 8, 2014. Based on the analysis below of the requirements in the HIPAA Security Rule, all Windows XP operating systems must be moved to a newer, supported operating system offering regular updates and security patches. This applies to ALL computers in your office because unsupported systems could provide vulnerability to other systems on your network. Please review the following chart for more information:
Microsoft is ending its support, patches, and security updates for Windows XP on April 8, 2014.
Your Windows XP software will be left vulnerable.
You must assess the risk in your Risk Analysis.
Your Risk Analysis MUST indicate that Microsoft is not adding new security updates. Therefore, your system will be left vulnerable to breaches of “the confidentiality, integrity, and availability of electronically protected health information.”
You must address these vulnerabilities in your Risk Management. However, there is no feasible method to address the vulnerabilities of Windows XP after April 8, 2014.
Therefore, based on the analysis of the requirements in the HIPAA Security Rule, all Windows XP operating systems must be moved to a newer, supported operating system offering regular updates and security patches. This applies to ALL computers in your office because unsupported systems could provide vulnerability to other systems on your network.
Conflicting Information
Some of you may have heard conflicting information, possibly information referring to an FAQ put out by CMS regarding operating systems. The technical analysis below takes everything into consideration and is available for further explanation supporting our conclusion:
Windows XP
Windows XP will not be supported after April 8, 2014, and this was the big announcement that is creating the drive for everyone to upgrade to Windows 7 or 8. Why? Once Microsoft stops issuing new security patches to their operating system (these are the sometimes annoying, but critical warnings that force computer restarts), your computer would be left vulnerable to a system with security holes. The patches that are frequently installed through updates are designed to address security concerns over newly developed (or hacked) operating system breaches. In other words, someone could be able to access your computer without your knowledge. Without new patches and updates, your system would be vulnerable. Additionally, anti-virus software and firewalls will not provide the security necessary to overcome these vulnerabilities.
Is this enough to make your office non-HIPAA compliant? The answer is more complicated than a simple yes or no. Although the majority of writers are indicating an emphatic “YES!”, others are saying “not necessarily.” Although it should be a simple answer, it’s not. The HIPAA Security Rule does not simply tell providers that they must have a supported operating system installed.
In fact, CMS has complicated the question by issuing the following FAQ:
“Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
Answer: No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronically protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).”
Risk analysis
So, if CMS says that the Security Rule does not mandate minimum operating system requirements, then why does everyone think that using an old one is a violation? The answer may be found when understanding the further requirements of the Security Rule. The primary requirement under HIPAA that is in question is found in two sections of § 164.308: “(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity or business associate. (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).”
When you examine the FAQ above in conjunction with the Security Rule, however, more becomes apparent. The FAQ indicates “any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis” and the Rule says that the Risk analysis is an “assessment.” However, the Security Rule adds “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).” In other words, it is not enough to just assess the risks… you must implement security measures to reduce those risks.
Conclusion
Further information can be found further down in the HIPAA Security Rule, “(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.” This requirement clearly indicates that you must guard against and be able to detect malicious software, and unsupported operating systems do not guard against malicious software.
What is the final conclusion? Do we have to upgrade operating systems? Please refer back to the conclusion and chart at the beginning of this article, but in short – yes – you must upgrade from XP.