It’s official. Microsoft has ended support for Windows XP. In an ideal world, we’d all be running up-to-date operating systems on blazingly fast, new hardware. Unfortunately, that’s just not the world we live in. Many organizations are still “stuck” with Windows XP and may be for some time. This may be because of financial constraints, resource saturation, or something else altogether. Regardless of the reason, if you find yourself in this situation today and you work with EPHI, you’ve got some work to do to mitigate your risks under the HIPAA Security Rule.
If you do a web search for “Windows XP and HIPAA Compliance” you’ll find two very different schools of thought. First, you’ll find the folks who claim you’re automatically non-compliant if you have a single Windows XP machine on your network. A good example of this is No HIPAA or Meaningful Use Compliance with Windows XP. The other camp argues that it’s not so cut and dry. They suggest that you conduct a thorough Risk Analysis of your environment and take whatever action is most “reasonable and appropriate” for your particular situation. My favorite examples are HIPAA Bull**** about Windows XP and Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance Program Going Out the Window with XP? Both articles recommend a very sensible course of action. They aptly point out that “there is no one-size-fits-all approach to compliance with the HIPAA Security standards” and that certainly applies to the use of Windows XP. Let’s take a closer look.
What does the rule say?
Here it is, right from the horse’s mouth (i.e. the HHS web site):
PROTECTION FROM MALICIOUS SOFTWARE (A) – § 164.308(a)(5)(ii)(B) One important security measure that employees may need to be reminded of is security software that is used to protect against malicious software. Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must implement:
“Procedures for guarding against, detecting, and reporting malicious software.”
Malicious software can be thought of as any program that harms information systems, such as viruses, Trojan horses or worms. As a result of an unauthorized infiltration, EPHI and other data can be damaged or destroyed, or at a minimum, require expensive and time-consuming repairs. Malicious software is frequently brought into an organization through email attachments, and programs that are downloaded from the Internet. Under the Security Awareness and Training standard, the workforce must also be trained regarding its role in protecting against malicious software, and system protection capabilities. It is important to note that training must be an ongoing process for all organizations.
There are two things of note here:
1. The (A) in PROTECTION FROM MALICIOUS SOFTWARE (A) stands for “Addressable.” This means we must implement this standard if it’s reasonable and appropriate to do so. HHS states, “This decision will depend on a variety of factors such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.” Here’s a link to the complete HHS explanation.
The “Addressable” classification gives you options. It allows HIPAA to push organizations towards “best-practice” without enforcing a rigid framework that makes it difficult for them to adapt and stay in business.
2. HHS focuses on the importance of training your staff. This is a huge factor in mitigating any type of risk identified in your analysis. It’s certainly advisable to have clear guidelines governing the use of your organizations technical infrastructure and to educate your staff on the various risks that they can help to mitigate.
What should you do right now?
First and foremost, conduct a thorough Risk Analysis. If you haven’t done so, you’re officially “non-compliant,” regardless of anything else. If you don’t know where to begin, check out the recently released HHS Security Risk Assessment Tool.
If you’ve identified risks to EPHI tied to your continued use of Windows XP and aren’t in a position to move away right now, you should address the issue directly and in writing. Explain why it’s not currently feasible for your organization to migrate and create a plan that lays out how and when you will (or at least establish a date for reevaluating the move). Then, identify the steps you have taken (or will take) to mitigate the risks. Maybe you’ll isolate the machine(s), update network usage policies, or conduct updated staff training. Whatever the risk, you can always do SOMETHING to reduce it, even if only slightly.
This is HIPAA Compliance
HIPAA-Compliance is not a checklist. It’s a process, a way of conducting business. It’s the process we just walked through. Don’t take advice from folks who speak in black and white and generalize the whole rule. Do your due diligence and document your decisions. Establish a routine for constant review and improvement and keep your policies in order. If you do that consistently, you’ll always be “audit-ready.” That is the spirit of the rule.
Disclaimer: This post is intended to advocate a way of thinking when it comes to compliance with the HIPAA Security Rule. I don’t recommend the continued use of an unsupported OS in any computing environment, if it can be avoided. But, if you are stuck with one, don’t stick your head in the sand.
More on HIPAA from Donald F. Lee III: