As an attorney who serves doctors their offices and clinics in Boulder, Denver, and throughout the state of Colorado, I always encourage clients to adopt practices that will ensure the security of their electronic and physical patient files.
However, as software platforms enter stages of obsolescence, and as hackers and malware developers become more sophisticated, securing digital date becomes a greater challenge.
On April 8, 2014, Microsoft is discontinuing its support of Windows XP.
The software development company is warning against increased security risks and encouraging XP users to upgrade to Windows 8.1. Because medical practices are frequently the target of cyber attacks, the management of these facilities should not take the Microsoft warning lightly if they are running Windows XP.
Microsoft’s Official Warning
“Without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported.”
In its otherwise general warning to businesses, Microsoft specifically addresses companies that must comply with the Health Insurance Portability and Accountability Act (HIPAA):
“Businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements.”
While the Department of Health and Human Services does not make individual assessments on operating systems, it does list the following warning on its website:
“Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).”
Why This is Different from Other Operating System Upgrades
- With Windows being just over two decades old, most users and businesses are accustomed to Microsoft introducing a new version every two to three years.
- For most doctor’s offices and healthcare practices, it is not cost efficient to upgrade operating systems each time there is a new release.
- Usually, the software upgrade comes when it is time to replace the computer systems.
- Microsoft generally releases patches and software updates, which among other things, bolsters the security of the system against new threats.
- With Microsoft ending their support of XP, however, the security of XP systems will grow weaker and become more vulnerable with each passing day.
This places healthcare operators in a precarious situation.
After a patient files security breach, no healthcare professional wants to be trying to convince federal regulatory investigators that using a 13 year old operating system (first released in 2001) that is no longer supported by the manufacturer was a reasonable decision in protecting patient information.
To help avoid concerns about being out of compliance with HIPAA, and to avoid actual patient files security breaches, doctors and their offices in the state of Colorado should strongly consider upgrading to a newer and more secure operating system.
If you have any questions about the Microsoft warning or anything else that affects patient records security, contact the Boulder-Denver area Law Office of Philip M. Bluestein. The above information is not intended and should not be taken as legal advice for your specific situation. If you have specific legal questions about HIPAA security or any of the business and legal matters in your practice you may contract us directly at (720) 420-1777 to set up an appointment.