eMerit Blog - Still using Windows XP? If so, update before HIPAA police darken your doorstep.

A couple of months ago, I was getting on an airplane. At the end of the sky-bridge, a desktop terminal detailed a bunch of metrics important to keep on schedule. The log-in screen was Windows XP. I wondered how much of the airline industry is still on an operating system that was released for distribution early in 2002.

Earlier this year, Microsoft implemented its previously announced end-of-life support for Windows XP. What this means: they will not release new security patches or updates.


Most large firms have already migrated to Windows 7 or above. And security updates will still be released for operating systems newer than Windows XP.

This morning, I was a patient in a large subspecialty practice this morning. The log-in screen for the EMR system was – you guessed it -Windows XP. Windows XP is not considered a secure environment any longer. Perhaps it never was. But, from the standpoint of a potential HIPAA audit, medical practices should be on newer operating systems.

Some entities delayed the inevitable by inking separate deals with Microsoft to maintain support. The UK government agreed to pay Microsoft just under $10M for security patches for Windows XP. The Dutch government also paid for custom support for 30,000 computers still running XP. Most medical practices do not have these custom deals.

To be clear, the Department of Health and Human Services – which oversees HIPAA- does NOT mandate minimum operating system requirements for computers used by covered entities. But, operating systems that will not receive security patches down the road are likely to be problematic.

The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.  Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).

So, if you’re running Windows XP on devices in your medical practice, either upgrade to a newer operating system or make sure protected health information lives only on more secure devices.