Wednesday, February 12, 2014

HIPAA Bullshit about Windows XP

OK, don't get me wrong.  I usually like stuff posted over at HITechAnswers, but this is just one of those days where posting free content just doesn't pay. First read the post in question.

Now, let's see where the feces lie.






  1. Just having a Windows XP computer on your network will be an automatic HIPAA violation.
    There may be automatic HIPAA violations, but JUST HAVING A WINDOWS XP computer on your network isn't one of them.  Not doing an annual risk analysis is.  And if you do a risk analysis and can verify that you've taken appropriate steps to protect other computers on your network from the Windows XP computers which may also need access to that network, then you may be in compliance (depending on what else you found).
  2. Which makes you non-compliant with Meaningful Use.HIPAA Violations don't automatically make you non-compliant with Meaningful Use.  There is nothing in Meaningful Use that says if you have a HIPAA Violation you lose your incentive $$$.  HIPAA Violations happen, and HHS can penalize you for them, but at the moment, they cannot cause you to lose your status as a meaningful user.   What meaningful use says about it can be found at 495.6(j)(16)(i) and (l)(15)(j).
  3. and will be a time bomb that could easily cause a reportable and expensive breach of protected patient information
    OK, not really bullshit, but still the crap-o-meter is up there.  What is that computer doing and what is it hooked up to?  If it's sitting in the lobby providing free web access to anyone, but is on your office network, then it's not just a time bomb, it's also been booby trapped.  However, if it is sitting in a back room, has had most ports locked down, and is monitoring some critical equipment, and is only accessible in certain ways, then it's quite possibly safe.  DO THE RISK ASSESSMENT.
  4. The HIPAA Security Rule specifically requires that you protect patient information with system patches and updates, which will not exist for Windows XP after April 8.
    The latter part is probably true.  However, the former part about system patches and updates is NOT what the HIPAA Security Rule says.  I suggest you READ IT FOR YOURSELF and stop relying on others to interpret it for you.
  5. There are fewer than 12 weeks to replace every Windows XP device in your organization. NOPE.  Not even close.  If you let his assessment guide you, then sure.  However, if you do your own assessment, you'll quite possibly find that the XP system used for that one specific task isn't a total security hole, and that there are things that you can do to mitigate the risk while you address the issues in a reasonable timeline. Neither the word patch nor the word update appear in the Security rule.  However, the word reasonable does, several times in 45 CFR 164.306.
  6. Getting rid of Windows XP means replacing both hardware and software.  Not the last time I checked.  It might be a good idea, but it is absolutely not required.
  7. Replacing Windows XP lets you comply with both the HIPAA and Meaningful Use requirements that you secure patient data.
    No.  Actually, doing a RISK ANALYSIS does, and not doing it is an automatic failure.  Replacing equipment you have because some blog post told you to simply lets you spend money.  Check the facts.
  8. Some of your Windows XP computers may be managing diagnostic or special purpose devices, and are not managed as part of your office network. Don’t let these hide from you as you replace your office systems. They all need to go.
    Actually, they don't necessarily.  If you determine that THIS system is needed for your operations, and you take appropriate precautions, then it doesn't have to go.
  9. Encryption was not in Windows XP but is now included in some business-class versions of Windows.Hmm.  Really?  How much software does this guy write?  How many computers does he install? Encryption certainly was a feature of Windows XP.  Otherwise, the first time you hit Google after they put in a forced redirect to https://www.google.com when you typed in http://www.google.com would have failed.  And if you happen to have one of those ancient tanks around, you should also see that you can encrypt an entire file system.
  10. Refer yourself to a specialist.Absolutely true.  Totally non-bullshit.  Now, what business do you think he might be in?
My guidance?  Do a risk analysis. And you can probably guess which specialist I probably wouldn't select to lead it.

Something major has changed and that should automatically trigger a risk analysis.  Once you've finished that, make some well-reasoned decisions.  Those decisions will probably include a plan to upgrade operating systems to one that is supported, and/or replace older existing computers that cannot be upgraded, but those can be done in a reasonable time frame. 

But don't let some blog post full of BS panic you into doing something you don't need to, or in a way that it is going to cost you a lot more than necessary.

8 comments:

  1. great article. its good information to know as i thought just having xp was Hipaa threat. if anyone who reads this is trying to upgrade try NComputing. we have it. was super inexpensive and easy to upgrade. wish i had it at my last job.

    ReplyDelete
  2. Thank you, that is how I interpreted it.

    ReplyDelete
  3. Couldn't agree more... We have enough big Government out there dictating what we can and cannot do. Why have Microsoft dictate what's compliant and not compliant? What's next... all our automobile manufactures say you can't drive a 12 year old car due to the car not being "Road Compliant" All of this to line the manufactures pockets? Thanks again for the great article...

    ReplyDelete
  4. What you have done is spun your own interpretation and really failed to offer proper advice of the rules of HIPAA. "Reasonable"? Are you trying to saying that a 14 year old OS with a company that has notified users for YEARS that it is going out of service has not given you reasonable time to remove that now unsupported OS? That's simply not true, and any audit or reviewer is not going to accept that, except as BS. No One will be able to claim ignorance....so....you will be fined if caught with XP on your network, and you will generate untold heartache and a LOT more in-depth investigation of your facilities because if they found even 1 box (locked down or not) they will want to see if there are any more anywhere. Why would you want to give your company any cause for concern by not removing those older OS's from the network. That is really foolishness. Any compliance officer or executive will want those removed and understands the costs is insignificant compared to the fines. In addition, there are so many other issues and concerns, such as whomever else is interacting with your system will also not want to be associated with a non-compliant network. Again, why would you suggest to a healthcare organization anything else. Just because you want to try and hold on to a technicality (run an analysis ? Really? Of course you follow the proper chain, but it is going to lead you to want to replace it). Hundreds of thousands of dollars to millions in fines just so you can try to keep an OS .... very bad judgement and ill advice.

    ReplyDelete
  5. this is an excellent article, the article you reference was originally written by an IT company trying to stir up some sales. i don't know why hitech would republish such nonsense other than trying to keep people proactive. sure XP is done, but don't go around spreading false information!

    ReplyDelete
  6. I really don't care if anyone's personal or company network is compromised because they refuse to update a very insecure OS, which came out when CRTs were the monitor of choice. I'll bet anything that the computers using XP are now using upgraded flat-screen monitors, which underlies the discontinuity of philosophy in companies like this, they hang onto one resource (an OS) with the grip of death, but will willingly update other resources whose upgrade has less impact on the company's actual performance and/or security. Nevertheless, my big problem with this issue is that I share an ecosystem with these "sick" computers: the Internet. Protecting a computer against attacks is not an individual thing anymore, if you let yourself be vulnerable, you are compromising the environment we both share, and I don't want that. Quoting Tech Reublic on this issue: "Those who ignore the mountain of warnings and continue to use Windows XP do so at their own risk. Unfortunately, their risk is also our risk, because compromised systems end up in botnets, distributing spam, or hosting and distributing malware. Continuing to use Windows XP on the public internet is akin to going out in public with an active virus and coughing on people. Do yourself and everyone else a favor. Either make a switch to a supported operating system... or move to [another country]. " A little inflammatory at the end, but it makes the point. If you want to continue to use XP, then stay off of the public Internet, because you will have no idea whether you have become the digital equivalent to Typhoid Mary or not, and the chance that you have are going to go up daily.

    ReplyDelete
  7. This one is great article, i would like to give special to this blog author. keep posting like this.

    ReplyDelete