How withdrawal of Windows XP support affects you

Whether you practice in a small private practice, a commercial setting, or a large hospital-based institution, Windows withdrawal of support for Windows XP as of April 8, 2014 needs to be seriously addressed by you or your organization.

What does withdrawal of support mean?

There will be no more security updates or technical support for the Windows XP operating system. Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. Critical flaws could allow an attacker to take over or cripple a PC running XP. EPHI (personal healthcare information) and other confidential patient data will be far more vulnerable to hackers, viruses, and malware. While you can buy a customer support package through Microsoft, it is expensive and not even a short-term solution for the average practice.

What does this mean for you?

If you do nothing and are running software on XP machines:

• HIPAA compliance. According to the American Optometric
Association (AOA), “There is no requirement that Windows XP must be HIPAA compliant. However, it is the responsibility of the covered entity-the healthcare provider-to ensure all office processes are compliant. Optometrists need to be aware that continued use of Windows XP after April 8, 2014, could mean the OD is at risk for not meeting HIPAA compliancy.”¹

• Meaningful Use compliance. According to the Office of National Coordinator of Health Care information, “Core Objective & Measure 15: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”² So, by attesting to Meaningful Use, you are attesting that your patient data is secure. This is certainly not the case if you are still running XP with no intervention.

• Medical billing systems. Since EHR compliance requires adherence to the HIPAA Security Rule, it is possible that medical billing systems will remove support for Windows XP, possibly disrupting the ability for a medical practice to submit claims from a Windows XP system.

• Hardware security. Today, many instruments such as OCTs, digital cameras, and visual field testers are running on XP computers and platforms. If they are on your network, they are just as vulnerable to PHI security problems, as well as damage to the database and computers themselves.

• Credit card security. An establishment that processes credit cards and runs XP is in violation of the Payment Card Industry (PCI) Data Security Standard (PCI-DSS v2.0) by failing to protect PCs from known vulnerabilities

Next: If your office is still running XP

If your office is running XP

You do not have to run out and change everything tomorrow, but conduct a professional risk assessment as soon as possible. No one is coming to knock on your door tomorrow to give you a six-figure HIPAA fine or take away your Meaningful Use incentive. If you have not or were not able to make these changes by April 8, you must redo your HIPAA risk assessment. This must include a well-documented plan to evaluate out-of-compliance computers and a clear plan for transitioning to a system that provides appropriate protection, such as Windows 7 or 8 or some other solution. This plan should identify each computer out of compliance, where it is located in the network, and the timeframe intended to replace it or how to make it secure.

All virus and security software-no matter what operating system it is running on-should be up to date. David Jaco, OD, AOAExcel EHR consultant, says practices running Windows XP must complete a risk assessment and evaluate the potential threat of a cyber-intruder that could access or corrupt ePHI. Risk assessment should be accomplished with a professional IT company familiar with these concerns. There are many companies qualified to handle your risk assessment and plan. Conducting this risk assessment solves the problem in the short term. The AOA offers a service to help you. If a data breach occurs before you have fully implemented your risk analysis solution, there is protection. When a data breach occurs in an optometric practice, the cost of recovering is upward of $240 per record, according to industry data.³

Here are two examples to illustrate risk assessment:

• If an XP computer is sitting in your waiting room providing free web access to anyone, but is also on your office network, then, bingo, you wear orange coveralls-or at the very least, have violated HIPAA rules.

• If an XP computer is in a back room, has had most ports locked down, and is monitoring important equipment and is accessible only in certain ways, then it may be safe.

Next: Solutions

Solutions

Your risk assessment will give you time to implement several solutions. These may include:

• Changing your computers to Windows 7 Professional or Windows 8 Professional. Most EHRs do not install over XP, so a new PC for all vulnerable XP computers is a must.

• Contact your vendors for any and all equipment that runs XP and is on the Internet or your office network. The solutions they offer are varied, and with so many vendors doing your own due diligence is the safest way you know you are compliant. Some may upgrade your software on a new computer, while others may run the old software on a compliant computer. You will want to find out about how to move to newer versions of their software, which are compatible with Windows 7 or beyond. If you subscribe to a maintenance plan, you may just need to download their newest software and apply your testing process. If you not, you may face pricey upgrades to move to their new platform.

If you have a vendor who really doesn’t offer a solution or the solution is simply too costly you can continue with XP if you restrict network connectivity to the minimum possible. Protecting XP systems is easier when other systems can't communicate with them over the network, the primary vector for attacks. One option is to take the device totally offline and print out your results and later scan them into your practice management software.

Some other easily achievable fixes include:

• Remove administrative rights. This should be mandatory for all remaining users on Windows XP.

• Address the most common attack vectors-web browsing and e-mail. Remove web browsing and e-mail software from XP systems, and provide these capabilities from a server-based system that is up to date.

• Keep the rest of the software updated where possible, including Microsoft Office. Vendors of other software solutions and versions running on these XP systems may continue support. This further minimizes the vulnerable surface area that can be attacked.

Expensive, high tech, work-around solutions do exist, but they are not for the small or even medium-sized practice. One, for example, is called air gapping-a network security measure that consists of ensuring that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. It is often taken for computers and networks that must be extraordinarily secure. There is no ability for computers on opposite sides of the air gap to communicate.

While a cloud-based EHR seems like a viable solution, the computer you are using is still vulnerable and at some point the vendor may not support an XP operating system. Because your computer is still connected to the Internet, many aspects of patient data may still be vulnerable.

When you left the office on April 8, 2014, that was the last day you ran supported Windows XP systems at your office. But guess what? Nothing looked different when you walked in on April 9. Over time, there will be application and security challenges that must be overcome. Please conduct a risk analysis as soon as possible with an experienced IT professional. Contact your hardware vendors, especially those with equipment interfaces. Now is the time to take action. Start working on your strategy for moving your computers and medical devices off Windows XP. Analyze your vendor support for upgrading to a newer operating system, inventory your impacted devices, and evaluate how you will update your endpoints. Moving to a newer operating system will help you provide a more secure environment in your facility and ensure compliance with HIPAA/HITECH/Meaningful Use and make you be able to sleep at night.ODT

References

1. American Optometric Association website. Windows XP support to end, raising HIPAA concerns. February 27, 2014. Available at: http://www.aoa.org/news/practice-management/windows-xp-support-to-end-raising-hipaa-concerns?sso=y. Accessed 06/16/2014.

2. The Office of the National Coordinator for Health Information Technology website. Guide to Privacy and Security of Health Information. Available at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-2.pdf. Accessed 06/16/2014.

3. American Optometric Association website. Protect your practice with cyber coverage. February 5, 2014. Available at: http://www.aoa.org/news/practice-management/protect-your-practice-with-cyber-coverage?sso=y. Accessed 06/17/2014.