A couple of months ago, I was getting on an airplane. At the end of the sky-bridge, a desktop terminal detailed a bunch of metrics important to keep on schedule. The log-in screen was Windows XP. I wondered how much of the airline industry is still on an operating system that was released for distribution early in 2002.
Earlier this year, Microsoft implemented its previously announced end-of-life support for Windows XP. What this means: they will not release new security patches or updates.
Most large firms have already migrated to Windows 7 or above. And security updates will still be released for operating systems newer than Windows XP.
This morning, I was a patient in a large subspecialty practice this morning. The log-in screen for the EMR system was – you guessed it -Windows XP. Windows XP is not considered a secure environment any longer. Perhaps it never was. But, from the standpoint of a potential HIPAA audit, medical practices should be on newer operating systems.
Some entities delayed the inevitable by inking separate deals with Microsoft to maintain support. The UK government agreed to pay Microsoft just under $10M for security patches for Windows XP. The Dutch government also paid for custom support for 30,000 computers still running XP. Most medical practices do not have these custom deals.
To be clear, the Department of Health and Human Services – which oversees HIPAA- does NOT mandate minimum operating system requirements for computers used by covered entities. But, operating systems that will not receive security patches down the road are likely to be problematic.
So, if you’re running Windows XP on devices in your medical practice, either upgrade to a newer operating system or make sure protected health information lives only on more secure devices.