Using Windows XP will be a HIPAA Violation

Microsoft Windows XP was one of the most liked and most used software platforms released by the Software giant. The platform became the standard operating system in use around the world and it was installed on the majority of PC’s and laptops in the healthcare industry.

Microsoft sold millions of copies of its software, yet when Vista and subsequent products were released, many healthcare organizations did not upgrade. Programs had been written to be compatible with Windows XP, issues would arise with hardware and the sheer cost of upgrading software and buying new licenses for all laptops and PCs in use in an organization was deemed by many to be a cost to be put off indefinitely.

Unfortunately the time has now come when the decision to upgrade computer operating system can be put off no longer, as Microsoft is finally pulling the plug on Windows XP. It will stop writing software patches and issuing security updates in less than 12 months.

Microsoft stopped selling Windows XP five years ago and it has been allowed to fade away; however, while Microsoft is willing to let that happen, many users are reluctant to make the switch to a new system. It has been estimated that as many as 40% of users are still running PCs and laptops on Windows XP.

A Ticking Time bomb

The countdown has now begun and in less than 12 months all updates will stop, opening the door to viruses, malware, keyloggers and Trojans and allowing security vulnerabilities to develop which can be exploited by hackers. It is the latter which should be of particular concern to healthcare organizations. Cybercriminals are targeting healthcare organizations and are attempting to steal healthcare data and PHI. The data can be used to commit fraud and the rewards are far in excess of those that can be gained with credit card details.

Windows XP and HIPAA Compliance

The Department of Health and Human Services will be enforcing its HIPAA Security Rule and the Office of Civil Rights Department is expected to start audits to identify areas of HIPAA non-compliance. Any healthcare organization that fails to adhere to the data security legislation could be issued with a financial penalty for each non-compliance issue; the cost could run to millions of dollars.

HIPAA requires covered entities to have “procedures for guarding against, detecting and reporting malicious software. “ If no software updates are provided and no patches available, running Windows XP on any networked terminal will be a direct violation of HIPAA security rules and is enough to potentially incur a financial penalty.

Time for Action

On April 8th, 2014 XP will cease to be HIPAA compliant; however upgrading IT systems is not a quick process, especially in large healthcare organizations with thousands of devices that are using the software. There can be compatibility issues with other software systems, especially bespoke programs created for the healthcare industry.

Devices running XP may not have hardware to run more advanced operating systems which place higher demands on storage and memory. Many computers and laptops will need to be upgraded, the new software will need to be thoroughly tested and staff training will need to be provided.

Twelve months may seem like a long time to make the change, but planning must start now in order to be able to realistically meet the deadline and ensure your organization does not run out of time and breach HIPAA regulations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.