Excerpted from page 48 of the September 2017 edition of AOA Focus.
End of Support isn't exactly a death knell when it comes to Windows operating systems (OS), but it does represent a security vulnerability that optometric practices should consider addressing sooner rather than later.
In simplest terms, End of Support represents a fixed date when Microsoft no longer provides automatic software updates or technical assistance to a Windows product or OS. That OS life cycle typically lasts 10 years, over the course of which Microsoft automatically pushes updates that help protect your computer from cyberthreats.
Therefore, practices that access Protected Health Information (PHI) on computers running a Windows OS that exceeds its support life cycle may be putting such information at risk of being compromised.
Newer OS, better security
Earlier this year, a worldwide outbreak of the "WannaCry" ransomware demonstrated the importance of supported service. Affected users were either believed to have skipped an automatic security patch issued from Microsoft that could have stemmed the attack, or were operating an unsupported OS. With nearly 300,000 computers affected globally, Microsoft took the unprecedented step and issued patches to the unsupported services, Windows XP and Windows Server 2003, after the fact, but told consumers not to get used to it.
"Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies," wrote Eric Doerr, Microsoft Security Response Center general manager, in a statement.
"The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements."
Still, a 2017 industry survey found some 52% of businesses continue to run some instance of Windows XP and 9% run at least one instance of Windows Vista—both lost support in 2014 and 2017, respectively.
Compliancy: It's your responsibility
So, what does this mean for doctors of optometry? Although there is no requirement that a particular OS must be HIPAA compliant, it is the responsibility of the covered entity to ensure all office processes are compliant.
The U.S. Department of Health and Human Services (HHS) notes the HIPAA Security Rule does not specify minimum OS requirements; however, it's the responsibility of the covered entity to implement PHI safeguards. That has put Microsoft's newest OS, Windows 10, under the HIPAA spotlight, because of the way it collects data.
A 2016 white paper issued by AOAExcel® endorsed business partner Compliancy Group notes that while Microsoft has stressed the HIPAA compliancy of its Office 365 and willingly signs Business Associate Agreements with SharePoint Online cloud-storage users, Microsoft had been mum on Windows 10. This OS automatically shares data with Microsoft to customize and streamline navigation, making it more user-friendly, but a potential problem for PHI. That said, Windows 10 is still the most up-to-date Windows OS available, which means better security from malware incidents.
Therefore, the Compliancy Group white paper states: "Windows 10 users need to weigh these risks to security against the measures being taken within their own organization to guard the privacy of PHI.
"Hopefully, further guidance and new service packs from Microsoft will lend some further clarity on the issue. Until that time, users should continue to heavily vet their technology infrastructure to ensure that the PHI they come into contact with stays protected and secure."
Fast-forward one year later, and Microsoft did release a service pack in the form of the Windows 10 Creators Update in April 2017 that allows organizations to better protect their data. However, despite the update, the onus of safeguarding PHI rests on the provider alone.
Windows lifecycle reference
Below are the next three Windows OS to be removed from support. Although there are minor differences between the two support phases, both provide free security updates; however, at the conclusion of Extended Support, Microsoft ceases security updates.
- End of Mainstream Support: April 10, 2012.
- End of Extended Support: April 11, 2017.
- End of Mainstream Support: Jan. 13, 2015.
- End of Extended Support: Jan. 14, 2020.
- End of Mainstream Support: Jan. 9, 2018.
- End of Extended Support: Jan. 20, 2023.