Effective April 8th, 2014 Microsoft will no longer support XP and Office 2003 and effective July 7, 2015 Windows Server 2003.
How does this affect your practice?
According to HIPAA Security Rule section 164.308(a)(5)(ii)(B), organizations with sensitive personal health information must ensure: (B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.—HIPAA
What does this mean exactly?
It means you should take action. After April 8, 2014, Microsoft will no longer provide security updates or technical support for Windows XP. Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. Running Windows XP SP3, Office 2003 or Windows Server 2003 in your environment after their end of support date may expose your company to potential risks, such as:
Security & Compliance Risks — Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.
Lack of Independent Software Vendor (ISV) & Hardware Manufacturers support — A recent industry report from Gartner Research suggests “many independent software vendors (ISVs) are unlikely to support new versions of applications on Windows XP in 2011; in 2012, it will become common.” And it may stifle access to hardware innovation: Gartner Research further notes that in 2012, most PC hardware manufacturers will stop supporting Windows XP on the majority of their new PC models.
HHS.Gov even goes so far to address operating systems on a FAQ on their website:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
Bottom Line: This standard is addressable, not required. If dental practices’ need to continue using Windows XP past April 8, the minimum requirement for HIPAA compliance is that they address the risks in their risk analysis. Addressing the risks means the dentist knows what can happen and that they have a plan to minimize the risk (they must describe the plan in the risk analysis). That plan also can include a timeline for making the switch away from Windows XP because dentists cannot continue to use that operating system indefinitely.
Bottom bottom line: XP is OLD. It was released the same year as the 1st iPod!! Microsoft XP was built for a simpler time. The internet was also a different place when it was developed and smart phones were even non-existent. Upgrading your network will not only satiate the standard for protection from malicious software, it will also enable you to deploy the latest technologies of encryption, security and speed.