Windows XP support to end, raising HIPAA concerns
The writing's on the wall for a popular Windows operating system, and it reads, "DNR." But look closer and Microsoft's upcoming support termination for Windows XP spells concern with HIPAA.
Windows XP has essentially run its course and as of April 8, 2014, Microsoft will no longer provide the free security updates that protect your computer from malicious software (malware).
Keep in mind, if your practice accesses sensitive electronic Protected Health Information (e-PHI) on computers running Windows XP after the support end-date, that information could be at risk of being compromised and therefore might not be in compliance with HIPAA.
Because there's a lot of information circulating about the possible ramifications to the operating system's (OS) "end of support," it's important that ODs separate what's fact and what's fiction about HIPAA compliancy and Windows XP.
Is Windows XP not compliant with the HIPAA security mandate?
There is no requirement that Windows XP must be HIPAA compliant. However, it is the responsibility of the covered entity—the health care provider—to ensure all office processes are compliant. Optometrists need to be aware that continued use of Windows XP after April 8, 2014, could mean the OD is at risk for not meeting HIPAA compliancy.
According to the U.S. Department of Health and Human Services (HHS), the security rule was written to provide covered entities the flexibility to determine adequate security measures, and does not specify minimum requirements for operating systems. However, it does specify that systems containing sensitive patient information must ensure protection against data breaches, and institute procedures for guarding against, detecting and reporting malicious software.
HSS goes on to say it is the covered entity's responsibility to implement safeguards to record and examine access and other activity in systems containing or using e-PHI.
My practice runs Windows XP. What do we need to know?
David Jaco, O.D., AOAExcelTM EHR consultant, says practices running Windows XP must complete a risk assessment and evaluate the potential threat that a cyber-intruder could access or corrupt e-PHI.
"It’s up to that covered entity to analyze their particular situation and evaluate the risk to make decisions based on that risk."
Although all computers operating Windows XP after April 8, 2014, are called into question, they assume varying degrees of risk based on their function. For instance, a Windows XP computer with Internet connection will be considered a high risk, while one without that connection is a lower risk.
However, the risk doesn't stop with computers at the front desk. Diagnostic equipment such as optical coherence tomography (OTC) machines that run Windows XP also are at risk. Disconnecting these machines from an Internet connection helps mitigate the risk, but not entirely, Dr. Jaco says. Now is the time to ask diagnostic equipment vendors about upgrades to supported operating systems.
Windows XP operating computers will still function after the end of support date, though Microsoft advises users that these computers should not be considered protected. Additionally, anti-virus software won't be effective on unsupported systems, and the OS will become less compatible with newer software and hardware.
"I think this is a good time for each individual office to evaluate their particular risk, to consider upgrading [Windows] XP to a newer Windows operating system version, and again, consider making those changes to the most at-risk computers," Dr. Jaco says.
What do we need to do?
Optometry practices using Windows XP must perform a risk analysis and evaluate the potential for cyber-attacks that could access or corrupt e-PHI.
The AOA Washington Office suggests weighing the benefits of upgrading to a newer, supported Windows OS, and speaking with your diagnostic equipment vendors about plans to upgrade the OS in machines operating Windows XP.
Microsoft also offers suggestions on how to stay protected.