We are getting a lot of calls with respect to XP patch support ending April 8, 2014. This is mostly due to articles claiming HIPAA Violations for using Windows XP. Violation is a strong word, especially considering we find in almost all cases there are other devices that are end of life. The bigger issue is to ensure a holistic process to track patches for computer systems and network devices, particularly putting plans in place to replace end of life information system and network components.
The risk has to do with the particular environment, acceptable risk, mitigating controls and levels of due diligence in meeting the requirements of the OCR’s guidance on the HIPAA Security Rule. This means performing a risk analysis, identifying vulnerabilities and assessing the risk for all gaps in compliance.
For a reasonable amount of time, it’s our opinion that organizations can put mitigating controls in place, such as vendor-supported anti-virus and encryption, on XP machines. In the short term, compensating controls, like anti-virus, spam filters, web filters, patch management procedures, continuous monitoring, etc., will provide an acceptable level of risk for most organizations. In the long term, organizations should put a plan in place to upgrade these systems to Windows 7 or newer considering you cannot simply ignore the unsupported platforms.
In other words, don’t feel you are up on the edge of a cliff with respect to the April 8th deadline on XP support ending. Instead, perform a HIPAA Security Analysis based on the change in your environment (i.e. XP end of life), and for this particular item at 164.308(a)(5)(ii)(B), capture workstation updates, as well as firewalls, switches, routers, wireless access points, servers, mobile devices, etc.
And most importantly, plan an XP migration project with a reasonable and appropriate due date and a responsible person to ensure the project is implemented.
We at MCS have spent years automating and simplifying the HIPAA Gap Assessment and Security Risk Analysis process for a turbo-tax-like software solution called HIPAA One. HIPAA One can be used to self assess your own HIPAA Environment, perform a mock audit and provide training for staff on the HIPAA Security Officer’s responsibilities. Please contact us for a free review of your previous HIPAA Security Risk Analysis reporting.