In mid-2011, Microsoft officially announced the sunsetting of its popular Windows XP operating system. The 2011 announcement established April 8, 2014 as the official end of support for XP. Microsoft has a sunsetting policy, introduced in 2002 as the Support Lifecycle Policy, which establishes a ten-year minimum lifespan for operating system and software support. Windows XP was introduced in 2001, and Microsoft has continuously provided support for the program for nearly 14 years, despite the introduction of three newer Windows operating systems. No software company can support its applications indefinitely and Microsoft decided, in accordance with their Support Lifecycle policy, to discontinue XP support beginning in 2014. As a result, Microsoft will no longer be providing “new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates” for the XP operating system.
Are Windows XP users at risk of being non-compliant with HIPAA requirements?
Many eligible providers subject to HIPAA are concerned whether continued utilization of Windows XP will affect compliance with security requirements. While “non-compliant” may be too strong a term, unpatched machines are a real risk to covered entities. Following April 8, 2014, computers utilizing the Windows XP operating systems will become increasingly vulnerable due to a lack of security updates or “patches”. Unpatched machines present a security risk because they provide a vector for malicious software to infect machines and networks. Infections can then lead to the compromise of electronic protected health information (ePHI) stored in the affected machine or network. In addition to security vulnerabilities, continued use of Windows XP may become problematic, as many independent software vendors will cease to offer applications and updates for software utilized on the XP operating system.
Recommendations for Windows XP users
Because Microsoft will no longer be providing patches and support, we strongly encourage covered entities to update their operating systems to Windows 7 or 8. This type of update usually requires a hardware refresh, as many systems do not meet the requirements for Windows 7 and 8 operating systems. A recommended alternative to a hardware refresh involves the development of virtual desktop environments (VDE). XP machines can be deployed as virtual machines with the implementation of VDE, though this route should only be undertaken if the electronic health record (EHR) platform in use specifies that VDE may be used. Covered entities should endeavor to evaluate their current operating systems and the options available for upgrades, as utilization of XP after the end of support on April 8, 2014 will lead to increased vulnerability to breaches and the compromise of ePHI.