No HIPAA or Meaningful Use Compliance with Windows XP

Just 12 Weeks to Get Rid of Windows XP

By Mike Semel
Twitter: @SemelConsulting

Time’s up. On April 8, 2014, Microsoft is ending security updates and patches for Windows XP and Office 2003. Just having a Windows XP computer on your network will be an automatic HIPAA violation— which makes you non-compliant with Meaningful Use— and will be a time bomb that could easily cause a reportable and expensive breach of protected patient information. HIPAA fines and loss of Meaningful Use money can far outweigh the expense of replacing your old computers.

The HIPAA Security Rule specifically requires that you protect patient information with system patches and updates, which will not exist for Windows XP after April 8. NIST guidance goes into more detail. In the early days of computers you upgraded your systems based on the introduction of new Intel chips and Microsoft operating systems. This cost thousands of dollars per user every few years. Everything settled down and now you have to replace Windows XP computers that may have been in use for 14 years. Yes, they may still work, but are you driving a 14 year-old car or watching a 14 year-old TV? Get past any denial and accept the fact that compliance regulations and Meaningful Use money require you to do this. Here are some ideas to help you make the right decisions.

  1. You need to take replacing Windows XP seriously and act quickly. There are fewer than 12 weeks to replace every Windows XP device in your organization. The deadline not only affects health care, but every business and government agency, which is likely to result in a shortage of equipment and delays getting replacement systems installed. It may take weeks or months to order equipment and get it installed, after you have gone through your purchasing process.
  2. Getting rid of Windows XP means replacing both hardware and software. Consider replacing desktops with laptops, micro PC’s that mount to the backs of monitors, all-in-one computers, thin clients without hard drives, or tablets. Look at the new ways to purchase or ‘rent’ software like word processing, spreadsheets, presentations, online backups, and file sharing. Rather than installing and supporting expensive software programs on every device, you can pay low monthly fees for the latest software through the Cloud, where everything is accessed through the Internet. Talk to an IT professional to determine what will work best for you. Be sure you only consider vendors that will sign HIPAA Business Associate Agreements and validate to you that they comply with HIPAA. (Any breach they cause may be your responsibility.)
  3. Replacing Windows XP lets you comply with both the HIPAA and Meaningful Use requirements that you secure patient data. Whatever computers you decide to buy must include business-class operating systems that include features to secure access and protect data. ‘Home’ operating systems do not have security features that can protect patient data. You must have a professional version of Windows that includes security features and can join a domain. Don’t be delusional and think that all of your protected patient data is in your EHR system. It may be all over your office on individual PCs. Data should not be stored on individual PC’s because it makes it harder to comply with HIPAA and to secure and back up everything. Have a professional IT specialist set up your network so data is always stored on a secure server that is backed up offsite. A network set up with a server as a domain controller will also enable you to comply with HIPAA’s requirements for secure access and retaining access logs for six years.
  4. Some of your Windows XP computers may be managing diagnostic or special purpose devices, and are not managed as part of your office network. Don’t let these hide from you as you replace your office systems. They all need to go. Many diagnostics tools from imaging to dental to ophthalmologic devices have dedicated Windows XP computers that came with the device and are supported by that vendor. Talk to the vendor now. Hospitals may have Windows XP computers connected to point-of-sale systems in Admissions, the billing office, cafeterias, and gift shops.
  5. Encryption was not in Windows XP but is now included in some business-class versions of Windows. It can also be purchased separately from vendors like WinMagic, Symantec, and McAfee/Intel Security. Encryption should be installed on every computer that stores any patient data, including servers, desktops, laptops, and portable devices. Encryption not only protects data at a high level than passwords, it exempts you from reporting a lost or stolen device. Considering the recent $ 1.5 million fine for a lost laptop, $ 1.7 million fine for a lost hard drive, and $ 150,000 fine for a lot thumb drive, encryption is your cheapest insurance against a reportable data breach.
  6. Refer yourself to a specialist. Your office is not your home. Just because they may function does not mean you can use the same consumer grade computers, software, and networking devices that would work in your home. Doctors aren’t IT professionals any more than IT professionals are doctors. The HIPAA and Meaningful Use requirements that you protect patient data require business-class solutions installed by qualified IT professionals. Protecting patient data requires a professional knowledge of IT security. Devices that include security features must be properly installed, configured, and actively maintained.

This article was originally published on 4Medapproved’s HIT Security Column and is republished here with permission.