As was announced by Microsoft a long time ago, support for Windows XP is ending on April 8, 2014. For most of us, we don’t think this is a big deal and are asking, “Do people still use Windows XP?” However, IT support people in healthcare realize the answer to that question is yes, and far too much.
With Microsoft choosing to end its support for Windows XP, I wondered what the HIPAA implications were for those who aren’t able to move off Windows XP before April 8. Is using Windows XP when it’s no longer supported a HIPAA violation? I reached out to Mac McMillan, CEO & Co-Founder of CynergisTek for the answer:
Windows XP is definitely an issue. In fact, OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified.
Unsupported systems by definition are insecure and pose a risk not only to the data they hold, but the network they reside on as well.
Unfortunately, while the risk they pose is black and white, replacing them is not always that simple. For smaller organizations the cost of refreshing technology as often as it goes out of service can be a real challenge. And then there are those legacy applications that require an older version to operate properly.
Mac’s final comment is very interesting. In healthcare, there are still a number of software systems that only work on Windows XP. We’re not talking about the major enterprise systems in an organization. Those will be fine. The problem is the hundreds of other software a healthcare organization has to support. Some of those could be an issue for organizations.
Outside of these systems, it’s just a major undertaking to move from Windows XP to a new O/S. If you’ve been reading our blogs, Will Weider warned us of this issue back in July 2012. As Will said in that interview, “We will spend more time and money (about $5M) on this [updating Windows XP] than we spent working on Stage 1 of Meaningful Use.” I expect many organizations haven’t made this investment.
Did your HIPAA compliance officer already warn you of this? Do you even have a HIPAA compliance officer? There are a lot of online HIPAA Compliance training courses out there that more organizations should consider. For example, the designated compliance officer might want to consider the Certified HIPAA Security Professional (CHSP) course and the rest of the staff the HIPAA Workforce Certificate for Professionals (HWCP) course. There’s really not much excuse for an organization not to be HIPAA compliant. Plus, if they’re not HIPAA compliant it puts them at risk of not meeting the meaningful use security requirements. The meaningful use risk assessment should have caught this right?
I’m always amazed at the lack of understanding of HIPAA and HIPAA compliance I see in organizations. It’s often more lip service than actual action. I think that will come back to bite many in the coming years. One of those bites will likely be organizations with unsupported Windows XP machines.