Windows XP Won’t Be HIPAA Compliant April 8, 2014

As was announced by Microsoft a long time ago, support for Windows XP is ending on April 8, 2014. For most of us, we don’t think this is a big deal and are asking, “Do people still use Windows XP?” However, IT support people in healthcare realize the answer to that question is yes, and far too much.

With Microsoft choosing to end its support for Windows XP, I wondered what the HIPAA implications were for those who aren’t able to move off Windows XP before April 8. Is using Windows XP when it’s no longer supported a HIPAA violation? I reached out to Mac McMillan, CEO & Co-Founder of CynergisTek for the answer:

Windows XP is definitely an issue. In fact, OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified.

Unsupported systems by definition are insecure and pose a risk not only to the data they hold, but the network they reside on as well.

Unfortunately, while the risk they pose is black and white, replacing them is not always that simple. For smaller organizations the cost of refreshing technology as often as it goes out of service can be a real challenge. And then there are those legacy applications that require an older version to operate properly.

Mac’s final comment is very interesting. In healthcare, there are still a number of software systems that only work on Windows XP. We’re not talking about the major enterprise systems in an organization. Those will be fine. The problem is the hundreds of other software a healthcare organization has to support. Some of those could be an issue for organizations.

Outside of these systems, it’s just a major undertaking to move from Windows XP to a new O/S. If you’ve been reading our blogs, Will Weider warned us of this issue back in July 2012. As Will said in that interview, “We will spend more time and money (about $5M) on this [updating Windows XP] than we spent working on Stage 1 of Meaningful Use.” I expect many organizations haven’t made this investment.

Did your HIPAA compliance officer already warn you of this? Do you even have a HIPAA compliance officer? There are a lot of online HIPAA Compliance training courses out there that more organizations should consider. For example, the designated compliance officer might want to consider the Certified HIPAA Security Professional (CHSP) course and the rest of the staff the HIPAA Workforce Certificate for Professionals (HWCP) course. There’s really not much excuse for an organization not to be HIPAA compliant. Plus, if they’re not HIPAA compliant it puts them at risk of not meeting the meaningful use security requirements. The meaningful use risk assessment should have caught this right?

I’m always amazed at the lack of understanding of HIPAA and HIPAA compliance I see in organizations. It’s often more lip service than actual action. I think that will come back to bite many in the coming years. One of those bites will likely be organizations with unsupported Windows XP machines.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

20 Comments

  • I’ve been telling practices about this for months, hoping they will create a smooth plan to replace these desktops rather than wait until April 1 and be angry and complaining about the cost and the downtime to replace all of the computers at once.

    From our audits, I see still about half of the computers at use in private practice to be XP.
    And why not? It works.

    Yes, the lack of understanding about HIPAA compliance is truly amazing, yet I’ve gotten over that surprise now and really, I’m surprised when an office has their act together…which is also sad.

  • It’s sad when apps are wedded to the intricacies of a particular browser or O/S! Ten years later, there are still company apps that will not work without IE6.0. In the Windows world, XP was a nice stable platform. Microsoft users have had to endure much pain and agony upgrading to Vista and now Windows 8.0. Unfortunately this is inherent in the beast that is Windows.

    Rather than upgrade within Microsoft, companies would do well to consider switching to the Mac O/S, especially since their existing platforms may likely need hardware upgrades anyway to accommodate the new Window versions. I did years ago and haven’t looked back. And since iOS is a subset of the Mac O/S, mobile integration might also be easier.

    Either way, serious applications should be able to work on Mac, Windows, or Linux platforms. If not, go somewhere else.

  • Working at a small to medium sized specialty group that interacts with several different hospital systems and other medical groups I personally am NOT amazed at the lack of understanding of HIPAA and HIPAA compliance. When you read the actual law, which I’m convinced very few people really do, CFR 160, 162 and 164 it appears to leave a great deal open to interpretation, and there are MANY conflicting interpretations in writing and in practice. There is no ONE way to do a security assessment for example, only guidelines. The hospitals we deal with have widely varying practices on the security requirments of their many applications. Resources available are few and healthcare reimbursement has been dropping despite rising health care costs for many years. It’s difficult for fiscally responsible small-medium sized organizations to manage. Hell, it’s difficult for our enormous government to follow the law. Surely most who follow current events in healthcare have read about the security problems with the Healthcare.gov website? Did they shut it down until it was deemed HIPAA compliant? No they forged ahead to avoid a political nightmare.

  • I spent several months this year working in a major bank (on a fill in contract). The firm was putting huge efforts into migrating all users to Win 7 ASAP and was at least half done when I departed. The effort was somewhat painful, and interfered with other projects, but it had very high priority. The bank did what it could to ease the pain and provide training and support.

    Keep in mind that banks and health care providers have parallel requirements for security and privacy. But in nearly every medical practice I’ve been to in the last year or two, XP is still king. Of course, most still don’t have EHR’s yet!

    I visited ‘my favorite’ hospital last week, and around the hospital – which has had an EHR for a few years (except for the ER, which kind of sort of has one), every PC I observed was running XP.

    This hospital is part of a huge hospital system which has dozens of IT job openings that it has trouble filling, and is clearly way behind on getting past XP, but still won’t even consider hiring anyone without extensive hospital IT PLUS clinical experience. If they were not so stubborn they might actually hire people who understand privacy and security issues in computing, and who are Win 7 capable. But IMHO they’ve got their heads buried in the sand and can’t see the end of the tracks for Win XP just months away, with the huge HIPAA and support problems that entails. Sure, they may pay Microsoft for some months of extra support – and therefore avoid immediate HIPAA violations, but they still miss the point – XP is not secure.

  • @ David
    I started out agreeing with you, then you switched directions twice.
    Yes, it would be great if EHRs were not wedded to a single device/OS.

    Apple isn’t always the bee-knees. We have clients who’ve had plenty of issues with IOS devices. IF people used Windows “properly” they’d see very few issues.
    It drives me nuts when software changes the “look” just to do so. Now things are in different places, and you have to find them. That happens with Windows and Apple (note the upgrade to iOS7)

    @Todd
    Your arguments are similar to those in accounting and finance and OSHA. No, you shouldn’t expect anyone in the office to be able to read the regs and understand them…what government regulations are that simple?
    Hire somebody to help you. Hire a 3rd party for the risk assessment. Sure it stinks, but you hire somebody to do your taxes and bookkeeping I’m sure.
    Same thing.

    @ R Troy
    True.

  • I agree with your points 100%.

    As someone from the technology industry (who is intimately familiar with system administration, virus/malware risks, and PCI compliance, I’ve been trying to warn people about the Windows XP EOL for awhile now.

    Unfortunately, when talking with less technical folks, it’s often like we’re speaking different languages. They dismiss the issues, saying things like “hackers have had 12 years to find exploits.”

    Almost all of the old Windows XP machines are networked. It’s a very dangerous situation.

    I wrote a blog post on the Windows XP EOL recently. You may be interested in it: http://www.additiveanalytics.com/blog/04-08-2014-will-organization-lose-hipaa-compliance/

  • Laura,
    I always love the security by obscurity idea. It’s true to some extent, but it’s a little different when we’re talking about an O/S that was used by so many billions of people.

  • I don’t foresee the XP doom and gloom as others here do. I think many practices are going to ignore this. Already, MU Stage 2 will be avoided by many practices, especially when they hear they have to incorporate secured messaging, which means Legally they are bound to answer things in writing they did not answer before, lack of answer and you could be equally in trouble. I feel the same with the XP end of life, many practices, especially those on a hosted/saas/cloud based solution will defer to the Firewall and Security on the Hosted Side, therefore, rendering less critical the device, albeit Windows (XP,7,8,8.1,RM), Mac, Android or IOS IPAD, or whatever comes to fruition in the future.

    Bottom line is PC obsolescence is could end up being the death nail to a already rejected comment that EHR’s save time and money. Adding these expenses, Portal Expenses, HIE integration, Patient Messaging, GEEZ WHAT DOES THE SMALL UNDER 10 DOCTOR GROUPS GOING TO DO. Clearly I see from many end users they will simply not comply and take penalties and eventually de-install to save money and pay the small stick the Government is passing out.

  • Also, Microsoft may end of life XP, but AVG, Norton, McAfee and many others will run to fill the void in the world of Security Software.

  • Brendon,
    I think you’re a brave (or stupid) clinic to continue using XP. I think it will be a no questions asked HIPAA violation. Not doing MU 2 is a different thing. I can see why many choose not to do it.

  • John,
    The problem is Windows XP is still the largest install base for Windows, period. Many have not made the transition, Device Drivers don’t always work, etc….

    My point is Hosted Solutions, NLA and Firewall/Endpoint security will remain, so I cannot see how patient HIPAA will be directly enforced on this matter.

    Upgrade on the other hand is a different matter, you can upgrade to Windows 7 or 8 or 8.1. I would argue, you are more at risk with Windows 8.1, who is relatively new OS then with a old OS with multiple solutions third party and patches to secure it then a new OS.

    In the end HIPAA is about protecting patient information, and this requires much comprehensive enterprise security that many will not be willing to partake in.

    By the way John, nice to comment on your site. I don’t post much anymore, but we are still doing well as I see are you.

  • Nice to have you commenting Brendon. It’s funny that you’re commenting and Al Borges was commenting this week as well. A little flashback to EMRUpdate.

    Glad to hear business is good. I’m considering doing an EMR Founder’s video series where I interview a bunch of EHR founders and hear their stories.

    Business is good, but really busy. I’m organizing my first conference (http://www.healthitmarketingconference.com/) and it’s a lot of work, but it’s going to be a great event.

  • Here is a question for this topic. What if the IT system is virtual via Citrix XenDesktop and everyone runs on a Virtual Windows 7 computer in the cloud but the endpoint that they connect from is Windows XP that is joined to the domain and locked into a FAT Client where they are unable to get to the XP OS and are immediately pushed into a Virtual Machine where they do their work? Are the XP dumb terminals a compliance issue even though XP is used only to run “Citrix Receiver” and “Citrix Appliance Lock” to allow the user to enter the Windows 7 environment?

  • John Harris,
    A number of people have asked me similar questions. I’ll reach out to Mac and see if he has a comment as well. I think it would likely require a deep dive into the specific technology and how it worked to answer the question. However, I believe it would still be a HIPAA violation.

    The first reason I think so is that it’s likely that the Citrix app is storing some of the data it receives on the XP box even if only temporarily. This could be an issue since that would be PHI stored on the XP machine. It might be possible to make the case for why this isn’t the case or that it’s stored in an encyrypted format. Although, will an auditor dig into those details?

    The more problematic issue to me though is that if XP is compromised, then they could still access what you’re doing on your Citrix connection. Think about a keylogger or screenscraper that gets installed on your XP machine because it was vulnerable. Then, it doesn’t matter that you’re using XP as a dumb terminal, because it’s just scrapping what you do.

    There are probably other issues as well, but I think that’s enough for me to not be comfortable having XP even as essentially a dumb terminal.

  • […] The first reason is that the lifecycle of a Windows 8 machine is much longer than an iPad or Android tablet. A Windows 8 tablet that you bought 5 years ago could still easily be supported by an IT shop and will work with your various software systems. A 3 year old iPad could very well not work with your EHR software and Apple has already stopped supporting O/S upgrades on the original iPads which poses similar HIPAA Compliance issues to Windows XP. […]

  • I think if you have an XP PC that is completely locked down and only the EMR software runs on it and there is no way to get to the internet you are not losing HIPAA compliance.

    All this doom and gloom talk it a bit crazy if your machine is not open to attach when it can only one program and has no way to access the internet.

    We have movile carts running XP and it can only be used to run the EMR software.

    No worries here.

Click here to post a comment
   

Categories