Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

HIPAA Risks of Breach: Windows XP Will No Longer be Supported by Microsoft

February 5, 2014 by  
Filed under Compliance

Overworked tired doctor at computer(February 5, 2014):  Has your practice addressed the latest HIPAA risks of breach that have been identified?  As discussed below, health care providers must take immediate remedial action if they are currently running Windows XP on one or more of their office computers. 

Why is this action necessary?  Because after April 8, 2014, Microsoft will no longer promulgate security updates or patches for this operating system. As a result, any computer running this outdated software system will effectively be non-compliant with HIPAA and HITECH regulations.

I.   Windows XP Support Ends April 2014:

Historically, Windows XP has been one of Microsoft’s most popular operating systems. It was first released in August 2001 and is still widely used on personal computers in both homes and business environments.  In fact, many health providers continue to use Windows XP on their workstations as part of a multi-faceted system that integrates electronic hardware, software, medical devices and the internet.

Unfortunately, as computers and the internet have become an integral part of the health care industry, Windows XP based computer systems and work stations have become a likely target for malicious activity. To combat these problems and protect users from cyber threats, Microsoft has customarily provided technical support for its software products for a period of years after the product’s release. Generally, this support comes in the form of a “service pack” and includes a collection of updates, fixes, or enhancements to a software program or operating system that is delivered in the form of a single installable package.

In the case of Windows XP, the software product has been out more than a decade and multiple newer versions of Windows have been released during period.  As a result, Microsoft has announced that after April 8, 2014, Windows XP will no longer be supported.   From a practical standpoint, this means that health care providers and other customers who still operate computers utilizing Windows XP will no longer receive new security updates, non-security hotfixes, free or paid support or online technical content updates. Any new vulnerabilities identified in the Windows XP operating system after April 8th will remain unaddressed by Microsoft.  Therefore, it will likely be easier for computer hackers to successfully infiltrate and exploit any Windows XP-based operating system via unpatched or non-secure vulnerabilities.

II. After April 2014, Providers Relying on Windows XP Systems will Have Another HIPAA Risk:

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress on August 21, 1996.  HIPAA regulates the availability and exchange of “Protected Health Information” (PHI) and helps prevent the unlawful release of patient medical information. The statute also helps to reduces instances of health care fraud, abuse, and sets standards for industry-wide billing procedures.  Under HIPAA, health care providers are obligated to take a wide range of steps designed to secure and protect PHI.

Both a “Privacy Rule” and a “Security Rule” are covered under HIPAA. These rules apply to “Covered Entities,” which include health plans, health care clearinghouses such as billing services, and health care providers that transmit health data in a way that is regulated by HIPAA. The Privacy Rule and the Security Rule have been designed to protect patient privacy and set standard procedures for the security of electronic PHI (e-PHI). Together, these two rules establish national standards for ensuring that a patient’s health information is kept confidential and secure.

Subsequent to the passage of HIPAA, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.  HITECH was created to encourage the adoption of electronic health records (EHR) and other support technology. Notably, the law also:

  • Expanded the obligations of physicians and other health care providers under HIPAA to protect patient’s PHI.
  • Extended the Privacy and Security Rules to business associates of the covered entities who have access to the PHI.
  • Increased the penalties for violations of those obligations under the rules. 

For health care providers who still utilize Windows XP-based computer systems, the decision by Microsoft to terminate its technical support of the software is very problematic.  Since Windows XP is no longer supported by Microsoft, any computer operating this system will be more susceptible to HIPAA risks of breach and / or other security risks.

III.  What Actions Should Health Care Providers Utilizing Windows XP Systems Take?

Many large health care provider organizations are already aware of this security concern and have implemented new operating systems.  However, many small to mid-sized health care providers have only recently learned of Microsoft’s support termination decision.  To the extent possible, these health care providers should examine their computer systems and determine whether their current Windows XP operating system can be upgraded to a more recent operating system, such as Windows 7 or Windows 8.  st now be realizing this monumental change. For these providers, they should immediately begin to transition their operating systems to more modern systems, such as Windows 7 or Windows 8.  Unfortunately, many older computer systems may not support an operating system upgrade. As a result, a health care provider may have to completely replace one or more of his office computer systems.  While replacement will be expensive, it will still be far cheaper than the monetary penalties that a provider may face if a HIPAA breach occurs due to the provider’s continued use of a computer running Windows XP.

Health care providers should immediately determine whether their practice’s Compliance Officer has conducted a review of the organization’s computers (and associated operating systems) to ensure that after April 8th the equipment will still be HIPAA / HITECH compliant.  If Windows XP based systems are still in use, a transition strategy should be identified and implemented.

IV.  Conclusion — Reducing the HIPAA Risks of Breach in Your Practice:

Importantly, the Windows XP operating system issue is merely one of many privacy concerns  that must be addressed by a practice’s Compliance Officer.  The failure of a health care provider recognize and address the Windows XP security risk can lead to a  breach of PHI and a possible privacy compliance audit by the Office for Civil Rights (OCR).  Depending on the facts, an OCR audit can lead to the imposition of civil monetary penalties (CMPs).

All health care providers should affirmatively review the mandatory requirements under the HIPAA and HITECH laws.  Frankly, there is no valid excuse for a covered entity not to have already conducted a proper risk assessment of its practice. Appropriate safeguards to protect individual patient PHI must be instituted to ensure that a breach does not occur.  Don’t let the theft of PHI through an obsolete operating system be the first time you assess the safety and security of your PHI. Taking measures to implement an effective compliance plan NOW is just your first step. In doing so, you can better ensure that your continuing obligation to fully comply with applicable statutory and regulatory requirements are being met.  Need help setting up your Compliance Plan or in conducting a HIPAA Omnibus Rule risk assessment?  Give us a call.

Robert W. Liles is a health care attorney experienced in handling prepayment reviews and audits.Robert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906.