In the past couple of weeks I’ve gotten a couple dozen questions from my clients that are small to midsized covered entities (CEs) or business associates (BAs) under HIPAA, in addition to several small to midsized start-ups that provide services in other industries. And, while some of these concerns are arising out completely erroneous advice, regrettably, some of the questions resulted from my own mea culpa of writing a confusing sentence in my last blog post, for which I’ve since provided a clarification within. (Lesson: I need to spend more time double-checking/editing text prior to posting after doing edits to cut the length.) I apologize for any confusion or alarm that may have arisen as a result.
However, this does provide a good opportunity to examine in more depth the compliance issues related to Windows XP use, and the related questions I’ve received. The following are the most common questions I’ve answered in the past several days.
Did I automatically become HIPAA non-compliant on April 8 if I still have XP systems?
No, it is not correct to say that organizations that still have Windows XP automatically became HIPAA non-compliant after April 8. HIPAA does not specify the types or versions of operating systems (OSs) that must be used. The Department of Health and Human Services (HHS) which oversees HIPAA compliance, has stated multiple times within multiple venues over the years that it does not, and will not (at least in the foreseeable future) mandate specific operating systems in order to allow for reasonable flexibility for CEs and BAs to meet compliance requirements.
However, HIPAA does require organizations to identify their information security risks (using a risk management program and by performing risk assessments), and then to mitigate those risks appropriately. Using XP could be considered a high-risk action if you are supporting healthcare activities with the system, and so would be something that would likely be reported as an audit finding, and would likely be identified as a High Risk within any risk assessment that occurs.
I advise all organizations to identify their systems running XP, determine the risks to PHI of those systems, and then establish a plan to upgrade appropriately and in the nearest time feasible.
Do I have to report my XP system as a breach to the HHS?
While continuing to run Windows XP is a risk, it is not a reportable breach of PHI. A breach is much different than a risk. Generally, a privacy breach is when unauthorized use or access to PHI, or some other type of personal information, has, or may have (such as in stolen laptop with PHI, or you know a hacker got into the network and may have gotten into a patient database), occurred.
Using XP will usually be considered a high-risk practice, and so would be something that would likely be reported as an audit finding, and would be typically be identified as a “High Risk” within any risk assessment that occurs.
Do I need to upgrade from XP on my computer that processes credit card payments?
This is slightly more straightforward than with the HIPAA, and other regulatory, compliance questions, the answers for which are (rightly so) based on related risks. If you are processing credit card payments, then you almost certainly need to comply with the Payment Card Industry Data Security Standard (PCI-DSS).
PCI DSS Requirements 6.1 and 6.2 cover the need to keep systems up to date with vendor-supplied security patches. This helps to protect systems from known vulnerabilities. When operating systems (such as XP) are no longer technically supported, security patches may no longer be available to protect the systems from known exploits, resulting in you not meeting these requirements to keep your system patched to protect against known vulnerabilities.
Depending upon your system and what you use it for, there is the possibility that you may be able to implement compensating controls to acceptably mitigate the risks that will occur with the use of XP, and then, if you are successful with the mitigation actions, to meet the intent of the 6.1 and 6.2 requirements. You will need someone with in-depth knowledge of information security, Windows XP and the associated IT systems to be involved to ensure such compensating controls are truly effective.
Bottom line for all businesses of all sizes…
It is not a privacy breach to be running XP, and you did not automatically fall into HIPAA non-compliance on April 8 if you have not upgraded all your Windows XP systems. You will not automatically fall into non-compliance with any other regulations either, but the PCI-DSS standard will result in non-compliance if you do not take immediate and effective risk mitigation actions.
You need to determine the associated risks with running XP after it is no longer supported; there will be risks that need to be addressed. And, it is important to understand that the risks will increase as time goes since Window XP support stopped on April 8, 2014. Make plans now to upgrade to a new, supported OS as soon as possible, based upon consideration of all these risks.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
< !– Start of StatCounter Code for Default Guide –>
Tags: awareness, compliance, cybersecurity, data protection, HIPAA, IBM, Information Security, infosec, midmarket, non-compliance, PCI DSS, personal information identifier, personal information item, PI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, surveillance, training, upgrade, Windows XP, XP upgrade