HIPAA and Windows XP

So what does the end of life on XP computers mean to HIPAA compliant organizations?

Next month on April 8, 2014, Microsoft will stop supplying security updates and patches for Windows XP and Office 2003. So does that mean you have to instantly replace all your computers running Windows XP?

When I look at all the workstations at a Hospital, Clinic or Doctors Office I may find machines that do not access PHI. PHI is Personal Health Information or ePHI Electronic Personal Health Information is the data that HIPAA is requiring you to protect. So workstations that do not access that information, while they needs to be replaced eventually, do not constitute a HIPAA violation. If the PC is used to run a time clock, edit marketing materials, or another none Healthcare related software , it can continue to be operated without violating meaningful use or HIPAA.

Does that mean that those machine should be left only indefinitely? Definitely not! It won’t take long for Hackers to find and exploit a Windows XP flaw and start turning thousands of neglected XP machines into Spam Bots, DDOS Bots and virus disabled PC that will run slow and constantly hang.

However if your PC’s do access Patient Information then having one of those PC running Windows XP be an automatic HIPAA violation— which makes you non-compliant with Meaningful Use— and will be a time bomb that could easily cause a reportable and expensive breach of protected patient information. Entities that have accepted or earned Meaningful Use money and tax eductions are more susceptible to HIPAA fines and loss of Meaningful Use money can far outweigh the expense of replacing your old computers.

The HIPAA Security Rule specifically requires that you protect patient information with system patches and updates, which will not exist for Windows XP after April 8. Windows XP is now 14 years old. Get prepared to replace those XP computers quickly.

1. You need to take replacing Windows XP seriously and act quickly. There are fewer than 2 weeks to replace every Windows XP device in your organization. The deadline not only affects health care, but every business and government agency, which has cause a shortage of available Windows 7 Pro workstations in the market.
2. When looking at your organization don’t forget the Laptops, Tablets and Micro-PC’s, as anything running Windows XP need to be addressed.
3. Don’t run out to the local Wal-Mart and buy your replacement PC there, because they will not have the Business Versions of Windows 7 or 8. Avoid any operating system with the word HOME in it. The Home Operating Systems do not have the protection and security features needed to protect patient information.
4. Talk to an IT professional such as Micro Doctor to determine what will work best for you. We will sign HIPAA Business Associate Agreements and help keep you compliant with meaningful use.
5. Micro Doctor has Windows 7 PRO PC’s in stock to be able to replace your XP computers quickly and efficiently.
6. Backups are an important function for any business, but many backups are not encrypted and can expose you to data loss and breach. Micro Doctor has different types of Offsite Encrypted Backups. We offer a simple encrypted file and folder backups as well as complete Disaster Recovery Servers that replicate entire servers to a secure offsite location.
7. It has become standard practice to encrypt hard drives on portable computer that access PHI. It will exempt you from reporting is the device is lost or stolen for a Data Breach.
8. Doctors aren’t IT professionals any more than IT professionals are doctors. Contact your local experienced and certified IT providers, Micro Doctor, for professional advice.

The HIPAA and Meaningful Use requirements that you protect patient data require business-class solutions installed by qualified IT professionals. Protecting patient data requires a professional knowledge of IT security. Devices that include security features must be properly installed, configured, and actively maintained.

The IT industry term for Wellness is Managed Services. Micro Doctor uses sophisticated automated tools for remotely monitoring the performance and security of your network. This can help you comply with HIPAA’s requirements for monitoring access to data and ensuring your security stays in place.

Mark Richmond is a 25 year professional that maintains certifications from Microsoft, Cisco, Sonicwall, HP, Dell. And HIPAA. Contact him at Info@microdoctor.com for more info our how we can help you avoid data breaches and costly regulatory fines.