What you need to know about HIPAA compliance and Microsoft.
Steven Presement
Just when you thought not much more could happen in a year already chocked-full of regulatory changes, here comes another bombshell that will take health care totally by surprise.
Microsoft has announced that as of April 8th, it will no longer support Windows XP, an operating system that is still in use in one-third of Windows-based computers across the world. This change also means is that Microsoft will no longer release security patches for Windows XP—the updates that combat hackers. In fact, Microsoft has said, “PCs running Windows XP after April 8, 2014, should not be considered to be protected.”
By rule of law, if you are still accessing your patient’s data using a Windows XP computer after this date, you will no longer be HIPAA-compliant. This could expose you to a reportable breach of protected patient information. Potential HIPAA fines will no doubt exceed the cost to fix the problem. The HIPAA security rule specifically requires that you protect patient information with operating system security patches (although it does not indicate specific operating systems).
In reality, your computers will not crash, and your patient data will not be floating in cyberspace for everyone to see—it simply means that a breach could happen, and you will be more exposed than you were before the change. It does not mean that a breach will happen, and in fact, many XP users do not even have Windows automatically updated and have been in breach for years, likely without incident.
Upgrading your computers to either Windows 7 or Windows 8 will address imminent security concerns, as both of these operating systems will be updated and supported by Microsoft. The update process is quick, inexpensive, and relatively painless, provided your computer equipment is not antiquated. If your computers are too old to support the newer operating systems, new hardware may be in order. New desktop computers can be found for under $500, and remember it is just the computer that may need replacement — not the monitor.
Some advice
Even though you may be using web-based electronic medical record (EMR) software, your computers will still require updating if you store patient-related data (including correspondence) on your computer.
Different versions of Windows 7 and Windows 8 “Home” versions may not always incorporate enough security to satisfy HIPAA requirements—and the networking options are limited. Always opt for the “Professional” versions.
Windows 8 is the latest—but not necessarily the best. There are many operational differences between Windows 7 and Windows 8. If you want to stick with a program that resembles Windows XP, Windows 7 will be your best bet. You can review Windows 8 at a computer store to see which one you might prefer.
Not all software that runs on XP will run on Windows 7 or Windows 8. Speak to your software vendors in advance of making any switch.
Windows updates can run smoothly or they can create a disastrous mess. Ensure that your data backups are current before you make any changes and consult your information technology professional. It will cost a bit more money, but it will drastically outweigh the potential harm of a failed update.
One final note: Updating to a new operating system does not preclude the need for anti-virus software. While these new operating systems do a better job at keeping things secure from an unwanted access standpoint, they do not protect you from unwanted viruses.
So long, Windows XP, you have joined the ranks of Betamax and the Telex machine, soon to be joined by ICD-9.
Steven Presement is the president of Practice Perfect EMR + Management software. He can be reached at steve@practiceperfectemr.com.
