What’s all this I am hearing about Windows XP and HIPAA?
Microsoft will officially end support for Windows XP on April 8, 2014. Following the established end-date, Microsoft will no longer be providing “new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates” for the XP operating system. Because Microsoft will no longer be providing patches and support, we strongly encourage covered entities to update their operating systems to Windows 7 or 8. You can learn more about Microsoft’s reasons for instituting this sunsetting policy in one of our previous blog posts, Windows XP Support is Going Away.
What is the risk of having Windows XP machines still in place after April 8th?
After April 8th, Microsoft will no longer be providing security patches to Windows XP. That means that any vulnerabilities or exploits that are discovered or created after that date will not be patched. These exploits could potentially be used in multiple ways to steal data, infect the network, and compromise security. For example, the Blaster Worm released in August of 2003 exploited a vulnerability present in every unpatched installation of Windows XP and was capable of compromising a system even without user action. Since then, hundreds of new exploits have been developed. According to the website CVE Details there were 88 vulnerabilities discovered in 2013, 58 of which were capable of allowing a remote user to gain privileges to a computer, any of which could potentially enable a hacker to take control.
Will I be non-compliant if I’m still using Windows XP after April 8, 2014?
After April 8th, the use of Windows XP will present a known and growing risk to its users due to a lack of security updates or “patches”. While unpatched machines present a real and potentially serious risk to covered entities, “non-compliant” is too strong a term. There is nothing in the regulations that explicitly says that all Windows XP machines must be gone by April 8th.
What should I do if I can’t replace all my Windows XP machines by April 8th?
Conduct a risk analysis and/or update your security management plan. Under HIPAA regulations, entities are required to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information.” In light of this requirement, covered entities should be aware that continued usage of Windows XP presents a potential risk that should be appropriately documented in their risk analysis and security management plan.
What elements should I be sure to include in my risk analysis and security management plan?
The plan should include a targeted date for replacement or upgrade of the outdated machines. It should also include controls that will, as much as possible, mitigate the risks to ePHI that will exist on Windows XP machines and on your network.
What are some examples of controls that I should consider to mitigate risks to ePHI on Windows XP machines or on my network?
Some examples of controls that could be considered to mitigate risks associated with Windows XP machines might include:
- Use of XP machines only for essential applications, not for activities such as email and the internet.
- Re-deployment of Windows XP machines for use involving less-sensitive data.
- Ensuring that all software and applications are supported and updated for use with XP machines.
- Discontinuing use of applications that open files from the internet, such as Windows Media Player.
- Discontinuing use of Internet Explorer if the machine must be used to access the internet. Download Chrome or Firefox and ensure that browser versions are frequently updated.
- Disconnecting XP machines from the network. If a disconnected machine becomes infected, it won’t affect others in the network. If disconnection isn’t possible, then ensure that firewalls exist to block traffic to XP machines.
- Use of active directory or other tools to further restrict use of Windows XP machines. I.e., locking USB ports, downgrading privileges, etc.
- Increased frequency of vulnerability management scans of Windows XP machines.
- Use of security services such as OpenDNS or web-content filtering solutions to block access to known malicious sites.
- Deployment of an intrusion detection and prevention system.
- Improved gateway security. Make sure your firewall or unified threat management appliance is up to date and set with the appropriate security settings.
- Regular back-up of data, including at least one instance of offline back up and data storage.
None of these measures are guaranteed to protect ePHI stored on or accessed with machines utilizing the Windows XP operating system. However, while covered entities work to refresh their systems, taking steps to document and mitigate risks can decrease the likelihood of a breach.
What would happen if I had a breach after April 8th related to a Windows XP Machine?
If a covered entity decides to phase out Windows XP machines after April 8th, the possibility remains that the covered entity could still be held liable for a breach related to Windows XP machines. The likelihood that this would happen is reduced substantially when entities take the proper steps to lessen risks. While fines may still be a possibility, they would likely be reduced, or the finding of “reasonable cause” by an administrative law judge would give him the discretion to waive any fine.
Anything else I need to know?
It’s worth repeating: covered entities are required to accurately and thoroughly assess potential risks and vulnerabilities. In doing so, these entities should make every effort to document and mitigate any risks discovered during a risk analysis. For Windows XP users, this means categorizing the use of Windows XP as a potential risk following the sunsetting date of April 8, 2014 and working towards a system refresh as soon as possible.
We recently added to the list of controls you can implement to mitigate risks to your Windows XP machines and network. In addition to those previously listed, we have added several recommendations found in the latest SANS Newsletter. Thanks again to SANS for their great suggestions!