HIPAA BS about Windows XP

Let the Discussion Begin

Note from the Editor: In fairness of “free content”, I am publishing Keith’s post which is a direct response to a previous post on our site that he finds has entirely too much miss information. While I am the editor and do read everything that is published, I cannot be an expert in every field. Luckily we have our loyal readers and experts that can shed light on everything we talk about here. Since this publication, Mike has posted more facts on the subject, read his post, Windows XP Debate Continues.

Keith Boone, Healthcare Standards
Twitter: @motorcycle_guy

OK, don’t get me wrong.  I usually like stuff posted over at HITECHAnswers, but this is just one of those days where posting free content just doesn’t pay. First read the post in question.

Now, let’s see where the feces lie.

  1. Just having a Windows XP computer on your network will be an automatic HIPAA violation. There may be automatic HIPAA violations, but JUST HAVING A WINDOWS XP computer on your network isn’t one of them.  Not doing an annual risk analysis is.  And if you do a risk analysis and can verify that you’ve taken appropriate steps to protect other computers on your network from the Windows XP computers which may also need access to that network, then you may be in compliance (depending on what else you found).
  2. Which makes you non-compliant with Meaningful Use.HIPAA Violations don’t automatically make you non-compliant with Meaningful Use.  There is nothing in Meaningful Use that says if you have a HIPAA Violation you lose your incentive $$$.  HIPAA Violations happen, and HHS can penalize you for them, but at the moment, they cannot cause you to lose your status as a meaningful user.   What meaningful use says about it can be found at 495.6(j)(16)(i) and (l)(15)(j).
  3. and will be a time bomb that could easily cause a reportable and expensive breach of protected patient information OK, not really bullshit, but still the crap-o-meter is up there.  What is that computer doing and what is it hooked up to?  If it’s sitting in the lobby providing free web access to anyone, but is on your office network, then it’s not just a time bomb, it’s also been booby trapped.  However, if it is sitting in a back room, has had most ports locked down, and is monitoring some critical equipment, and is only accessible in certain ways, then it’s quite possibly safe.  DO THE RISK ASSESSMENT.
  4. The HIPAA Security Rule specifically requires that you protect patient information with system patches and updates, which will not exist for Windows XP after April 8. The latter part is probably true.  However, the former part about system patches and updates is NOT what the HIPAA Security Rule says. I suggest you READ IT FOR YOURSELF and stop relying on others to interpret it for you.
  5. There are fewer than 12 weeks to replace every Windows XP device in your organization. NOPE.  Not even close.  If you let his assessment guide you, then sure.  However, if you do your own assessment, you’ll quite possibly find that the XP system used for that one specific task isn’t a total security hole, and that there are things that you can do to mitigate the risk while you address the issues in a reasonable timeline. Neither the word patch nor the word update appear in the Security rule.  However, the word reasonable does, several times in 45 CFR 164.306.
  6. Getting rid of Windows XP means replacing both hardware and software. Not the last time I checked.  It might be a good idea, but it is absolutely not required.
  7. Replacing Windows XP lets you comply with both the HIPAA and Meaningful Use requirements that you secure patient data. No.  Actually, doing a RISK ANALYSIS does, and not doing it is an automatic failure.  Replacing equipment you have because some blog post told you to simply lets you spend money.  Check the facts.
  8. Some of your Windows XP computers may be managing diagnostic or special purpose devices, and are not managed as part of your office network. Don’t let these hide from you as you replace your office systems. They all need to go. Actually, they don’t necessarily.  If you determine that THIS system is needed for your operations, and you take appropriate precautions, then it doesn’t have to go.
  9. Encryption was not in Windows XP but is now included in some business-class versions of Windows.Hmm.  Really?  How much software does this guy write?  How many computers does he install? Encryption certainly was a feature of Windows XP.  Otherwise, the first time you hit Google after they put in a forced redirect to https://www.google.com when you typed in http://www.google.com would have failed.  And if you happen to have one of those ancient tanks around, you should also see that you can encrypt an entire file system.
  10. Refer yourself to a specialist. Absolutely true.  Totally non-bullshit.  Now, what business do you think he might be in?

My guidance?  Do a risk analysis. And you can probably guess which specialist I probably wouldn’t select to lead it.

Something major has changed and that should automatically trigger a risk analysis.  Once you’ve finished that, make some well-reasoned decisions.  Those decisions will probably include a plan to upgrade operating systems to one that is supported, and/or replace older existing computers that cannot be upgraded, but those can be done in a reasonable time frame.

But don’t let some blog post full of BS panic you into doing something you don’t need to, or in a way that it is going to cost you a lot more than necessary.

This post was syndicated with permission.