Are you using computers that run on Windows XP in your office? If you are you may be violating HIPAA laws by doing so.
If you haven’t heard, on April 8th, 2014 Microsoft ended support for windows XP; putting an end to the operating system.
Microsoft announced that they are no longer providing security updates and stated that:
“If you continue to use Windows XP after support ends, your computer will still work but it might become more vulnerable to security risks and viruses. What this means is that when using computers with Windows XP, you potentially expose your computers to a security risk. Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter greater numbers of apps and devices that do not work with Windows XP.”
The OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified.
Unsupported systems by definition are unsecure and pose a risk, not only to the data they hold, but the network they reside on, as well.
Additionally, any known vulnerabilities of an operating system should be considered in the covered entity’s risk analysis.
For example, as a compliance and auditing specialist, I tell my doctors that an operating system which includes a known vulnerability, which XP does, has to be considered an issue with regard to your “risk analysis.”
Addressing the risks means that as a doctor, you know what can happen by running XP and that you have a written plan for minimizing the risk.
This plan must be described in detail in your risk analysis and should include a timeline for your transition away from Windows XP.
To stay protected after support ends, you have two options:
- Update any current devices that are running Windows XP
This is definitely, the simplest route, and for most doctors offices, it’s the most cost effective.
Unfortunately few older computers will be able to run Windows 8.1, which is the latest version of Windows.
Compliance & Auditing services recommends that you download and run the Windows Upgrade Assistant to check if your PC meets the system requirements.
The Windows 8.1 system requirements are nearly the same as Windows 8, so if your PC can run Windows 8, in most cases, you can get the free update to Windows 8.1.
Upgrade Assistant will also check program and device compatibility, and provide a free compatibility report.
Here is a summary of the system requirements:
Processor: 1 gigahertz (GHz) or faster
RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)
Free hard drive space: 16 GB (32-bit) or 20 GB (64-bit)
Graphics card: Microsoft DirectX 9 graphics device with WDDM driver
You will need to perform a “clean installation.” This means you won’t be able to keep any files, settings, or programs when you upgrade.
We recommend you back up all files and locate any program installation discs prior to updating.
- If your current PC can’t run Windows 8.1, it’s time to consider a new one. Given the fact that the fines for a HIPAA Security Violation would be significantly in excess of purchasing a few new computers.
For most doctors, dealing with the technical stuff is a little bit challenging. After all, you’re an expert at treating patients not computers.
If this is you, then talk with your IT person. They have the expertise in this area and should know exactly what to do.
Dr. John Davenport
Chief Compliance Officer
Compliance & Auditing Services