Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

HIPAA Risks of Breach: Windows XP Will No Longer be Supported by Microsoft

February 5, 2014 by  
Filed under Compliance

Overworked tired doctor at computer(February 5, 2014):  Has your practice addressed the latest HIPAA risks of breach that have been identified?  As discussed below, health care providers must take immediate remedial action if they are currently running Windows XP on one or more of their office computers. 

Why is this action necessary?  Because after April 8, 2014, Microsoft will no longer promulgate security updates or patches for this operating system. As a result, any computer running this outdated software system will effectively be non-compliant with HIPAA and HITECH regulations.

I.   Windows XP Support Ends April 2014:

Historically, Windows XP has been one of Microsoft’s most popular operating systems. It was first released in August 2001 and is still widely used on personal computers in both homes and business environments.  In fact, many health providers continue to use Windows XP on their workstations as part of a multi-faceted system that integrates electronic hardware, software, medical devices and the internet.

Unfortunately, as computers and the internet have become an integral part of the health care industry, Windows XP based computer systems and work stations have become a likely target for malicious activity. To combat these problems and protect users from cyber threats, Microsoft has customarily provided technical support for its software products for a period of years after the product’s release. Generally, this support comes in the form of a “service pack” and includes a collection of updates, fixes, or enhancements to a software program or operating system that is delivered in the form of a single installable package.

In the case of Windows XP, the software product has been out more than a decade and multiple newer versions of Windows have been released during period.  As a result, Microsoft has announced that after April 8, 2014, Windows XP will no longer be supported.   From a practical standpoint, this means that health care providers and other customers who still operate computers utilizing Windows XP will no longer receive new security updates, non-security hotfixes, free or paid support or online technical content updates. Any new vulnerabilities identified in the Windows XP operating system after April 8th will remain unaddressed by Microsoft.  Therefore, it will likely be easier for computer hackers to successfully infiltrate and exploit any Windows XP-based operating system via unpatched or non-secure vulnerabilities.

II. After April 2014, Providers Relying on Windows XP Systems will Have Another HIPAA Risk:

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress on August 21, 1996.  HIPAA regulates the availability and exchange of “Protected Health Information” (PHI) and helps prevent the unlawful release of patient medical information. The statute also helps to reduces instances of health care fraud, abuse, and sets standards for industry-wide billing procedures.  Under HIPAA, health care providers are obligated to take a wide range of steps designed to secure and protect PHI.

Both a “Privacy Rule” and a “Security Rule” are covered under HIPAA. These rules apply to “Covered Entities,” which include health plans, health care clearinghouses such as billing services, and health care providers that transmit health data in a way that is regulated by HIPAA. The Privacy Rule and the Security Rule have been designed to protect patient privacy and set standard procedures for the security of electronic PHI (e-PHI). Together, these two rules establish national standards for ensuring that a patient’s health information is kept confidential and secure.

Subsequent to the passage of HIPAA, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.  HITECH was created to encourage the adoption of electronic health records (EHR) and other support technology. Notably, the law also:

  • Expanded the obligations of physicians and other health care providers under HIPAA to protect patient’s PHI.
  • Extended the Privacy and Security Rules to business associates of the covered entities who have access to the PHI.
  • Increased the penalties for violations of those obligations under the rules. 

For health care providers who still utilize Windows XP-based computer systems, the decision by Microsoft to terminate its technical support of the software is very problematic.  Since Windows XP is no longer supported by Microsoft, any computer operating this system will be more susceptible to HIPAA risks of breach and / or other security risks.

III.  What Actions Should Health Care Providers Utilizing Windows XP Systems Take?

Many large health care provider organizations are already aware of this security concern and have implemented new operating systems.  However, many small to mid-sized health care providers have only recently learned of Microsoft’s support termination decision.  To the extent possible, these health care providers should examine their computer systems and determine whether their current Windows XP operating system can be upgraded to a more recent operating system, such as Windows 7 or Windows 8.  st now be realizing this monumental change. For these providers, they should immediately begin to transition their operating systems to more modern systems, such as Windows 7 or Windows 8.  Unfortunately, many older computer systems may not support an operating system upgrade. As a result, a health care provider may have to completely replace one or more of his office computer systems.  While replacement will be expensive, it will still be far cheaper than the monetary penalties that a provider may face if a HIPAA breach occurs due to the provider’s continued use of a computer running Windows XP.

Health care providers should immediately determine whether their practice’s Compliance Officer has conducted a review of the organization’s computers (and associated operating systems) to ensure that after April 8th the equipment will still be HIPAA / HITECH compliant.  If Windows XP based systems are still in use, a transition strategy should be identified and implemented.

IV.  Conclusion — Reducing the HIPAA Risks of Breach in Your Practice:

Importantly, the Windows XP operating system issue is merely one of many privacy concerns  that must be addressed by a practice’s Compliance Officer.  The failure of a health care provider recognize and address the Windows XP security risk can lead to a  breach of PHI and a possible privacy compliance audit by the Office for Civil Rights (OCR).  Depending on the facts, an OCR audit can lead to the imposition of civil monetary penalties (CMPs).

All health care providers should affirmatively review the mandatory requirements under the HIPAA and HITECH laws.  Frankly, there is no valid excuse for a covered entity not to have already conducted a proper risk assessment of its practice. Appropriate safeguards to protect individual patient PHI must be instituted to ensure that a breach does not occur.  Don’t let the theft of PHI through an obsolete operating system be the first time you assess the safety and security of your PHI. Taking measures to implement an effective compliance plan NOW is just your first step. In doing so, you can better ensure that your continuing obligation to fully comply with applicable statutory and regulatory requirements are being met.  Need help setting up your Compliance Plan or in conducting a HIPAA Omnibus Rule risk assessment?  Give us a call.

Robert W. Liles is a health care attorney experienced in handling prepayment reviews and audits.Robert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906.

Healthcare Cloud Computing – Compliance Risks

Healthcare Cloud Computing(August 14, 2012):  Cloud computing is in the process of revolutionizing the way that individuals and businesses store, receive, and use their data. You may have heard about it through companies such as Google, Apple, and Microsoft, all advertising sophisticated cloud computing services. But what are the risks your organization faces with respect to healthcare cloud computing?

I.  What is Healthcare Cloud Computing?

Essentially, “healthcare cloud computing” is the process of using various offsite computer and server resources that are delivered to users remotely through the internet. You use a program on your computer to access data, software, and powerful processing resources at a remote location. Because nearly all of the data storage and processing is done remotely, there is less of a need for high-powered, sophisticated computers at a user’s location, meaning individuals and small businesses can access computer tools that had previously only been reserved for the largest of corporations. In fact, a recent survey by Microsoft found that 39% of small business owners were beginning to engage in some sort of cloud-based computing.

II. Risks of Healthcare Cloud Computing:

Reliance on healthcare cloud computing can expose a provider and his / her practice to a variety of very serious risks.  Chief among these risks is the potential for a substantial privacy breach. Because data and data systems are maintained offsite, a provider, biller, or facility cannot ensure that the data contained on these remote servers is properly secure. As you know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the use of Protected Health Information (PHI) through its Security and Privacy Rules. These laws, administered by the Office for Civil Rights (OCR), protect the privacy of individual patients by setting out rules and repercussions concerning the wrongful use or disclosure of PHI. Under HIPAA, and the HITECT Act of 2009, there are 4 tiers of potential penalties a “covered entity” might face for wrongful use or disclosure or a security breach. Notably, nearly every healthcare provider is, at this point, a covered entity.

Despite an awareness that both known and emerging risks are present, many health care providers appear to have resigned themselves to the fact that the unparalleled convenience of healthcare cloud computing more than makes up for the potential dangers faced when using this medium.   Notably,  many cloud computing services advertise that they are HIPAA compliant or have undergone an SAS 70 Type II audit. Be careful – these audits can greatly vary in terms of their adequacy and sophistication, and may continually fail to meet the standards of HIPAA and HITECH. On top of this, as a health care provider, you are not in a position to ensure that the cloud computing company will continue to meet these standards.  In any event, should a breach occur – you will still be on the proverbial “hook” with OCR and its auditing contractors for any breaches that might occur.  Your decision to store PHI on a cloud computing server will notalleviate you of your obligation to safeguard patient medical records and personal information.  You are ultimately responsible for PHI entrusted to you by your patients, not the cloud service provider.   There are a number of technical security concerns that you should understand:

  •  First, how is data stored at the 3rd party site? Is the data of all clients thrown together on one server or on one hard drive, or does each client have a dedicated server? In addition, what if a server has a technical failure? If such an event occurs (as it inevitably will), the 3rd party vendor needs to completely destroy any PHI on their servers and have an available backup to ensure that the data still exists in some form. It is difficult for both you and the 3rd party vendor to guarantee this.

  • Second, transferring data to and from your “cloud” must be done through a secure channel (that is, “https://”). You need to specifically inquire with a cloud vendor whether a dedicated, secure connection can be established so that the “highway” through which your data passes cannot be accessed by others.

  • Third, the interface your organization uses to interact with the remote cloud server is at risk for security breaches, and you should ensure that the 3rd party host has developed properly secured interfaces. Again, this can be hard to do.

  • Finally, and probably most importantly, what about the employees of the remote cloud service? They generally have access to a substantial amount of sensitive data, and you have no ability to train, discipline, or terminate those individuals should wrongdoing occur. As you know, next to the theft of laptops and other mobile electronic devices, curious employees accessing unauthorized PHI is the most common type of breach under HIPAA. Couple that with a 3rd party vendor whose employees over whom you have no control, and it could mean substantial trouble if an individual employee wants to start exploring your patients’ medical records.

III. Conclusion:

As a result of these serious concerns, we strongly recommend that providers continue to use an internal server stored onsite. While it can be more expensive, it’s the only true way to ensure that your patient’s PHI is protected in accordance with HIPAA’s Privacy and Security Rules. In addition, you should consider conducting an internal HIPAA audit of your physical security, administrative safeguards, and electronic transmissions. Importantly, this audit should be done through counsel, so that any concerns may be reasonable covered by the attorney-client privilege.

Robert LilesRobert Liles counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at: 1 (800) 475-1906.