What risks can you effectively manage?

I am glad that some readers are engaged enough to vocally disagree with my recent article about Windows XP not being an acceptable risk after it loses its security patches and updates on April 8. While I do not agree with some of their opinions, I will not relegate them to material appropriate for a toilet or a pasture. Nor will I question their integrity.

One critic of my XP article says “Check the facts.” I agree. Senator Daniel Patrick Moynihan once said, “Everyone is entitled to his own opinion, but not to his own facts.” I have included the facts that have led me to my opinions.  These can help you form your own opinions and guide you to make the best decisions about Windows XP.

My Opinion

I see the issue of Windows XP similar to driving a car that will not pass inspection. Some reasons for failing a car inspection may not cause an imminent risk, like if your car has body rust or holes in the seats. But what about bald tires? Would you agree that they are dangerous? That they might be OK in certain conditions or locations but not in others? That your desire to save money by not replacing them might actually endanger someone else?

The risks caused by a defenseless attack on a Windows XP computer to me are simply unacceptable when you consider the effects on patients hurt by a data breach. I think the financial risks to healthcare organizations and business associates are unacceptable. I also believe that the intents of HIPAA and Meaningful Use will not support the continued use of Windows XP.

I don’t believe that simply listing Windows XP as a risk and then do nothing is compliant with HIPAA. Just like listing bald tires as a risk is not enough to pass a car inspection.

HIPAA is intended to protect patient data, not just writing down where risks exist and then ignoring them. HIPAA also says you must develop a risk management plan andmitigate the risks at a reasonable level. HIPAA’s vague wording is sometimes very frustrating. It does not specifically mention Windows XP. It does not specifically mention patches, updates, firewalls, or other tools to protect patient information. It leaves the definition of ‘reasonable’ up to you.

The wording might be very generic but the intent is clear—HIPAA requires you to implement administrative, physical, and technical safeguards to protect electronic health information. You cannot determine that ‘reasonable’ means doing nothing—or just documenting XP as a risk— and leaving patient data unprotected.

What is unknown is how the enforcers of HIPAA and Meaningful Use will judge data breaches linked back to the continued use of Windows XP systems after they lose their security updates. Also unknown are what data breach lawsuits may be brought by attorneys who claim that doctors, dentists, hospitals, and business associates had adequate warning, and that their clients’ rights of privacy were not adequately protected simply because someone wanted to save money.

Something that gets missed in the Windows XP discussion is that Microsoft Office 2003 is also losing its security updates and patches on April 8. Some organizations don’t have to worry about Windows XP because those systems have been replaced, but they may still be using Office 2003 on newer computers. There are more options now than ever before to replace Office 2003, including cloud-based services. Just be sure the solution complies with HIPAA and the provider will sign a Business Associate Agreement.

Some XP defenders have used this FAQ answer that the HIPAA Security Rule does not mandate specific operating systems to claim that continued use of Windows XP is allowable.

The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.  Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).

This is not the sole guidance on protecting health information. What often are ignored by those wanting to keep Windows XP are the rest of the HIPAA Security Rule, the HIPAA Omnibus Rule, and Meaningful Use requirements. These must all must be considered together when protecting health information. If you list an unsupported operating system as a vulnerability then you must define how you will manage the risk and what compensating controls you will implement to protect patient data. This will be very difficult, if not impossible, for most organizations that must comply with HIPAA.


In its HIPAA guidance, the National Institute of Standards and Technology (NIST) said:

The HIPAA Security Rule is all about implementing effective risk management to adequately and effectively protect EPHI.

The Meaningful Use Office of the National Coordinator for Health Information Technology said:

To comply with HIPAA, you must continue to review, correct or modify, and update security protections. 

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) said this in a case resolution that assessed a $ 1.5 million HIPAA penalty for a lost laptop.

(Hospital) did not fully evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks,  document the chosen security measures and the rationale for adopting  those measures, and maintain on an on-going basis reasonable and  appropriate security measures.

The smart folks at the Massachusetts Institute of Technology (MIT) IT department made patching Number One in its Top Ten Safe Computing Tips:  Patch, Patch, PATCH!

Set up your computer for automatic software and operating system updates. An unpatched machine is more likely to have software vulnerabilities that can be exploited

Texas A&M University just banned Windows XP computers from campus after April 8.

The US Information Security and Privacy Advisory Board said:

Continuing to use Windows XP after (April 8, 2014) will magnify security risks and associated mitigation costs, considerably… Because of ever-advancing threats, the risks of continuing to use obsolete (and soon unsupported) software are unacceptable.

These statements are why I believe just listing just listing Windows XP as a risk on a Risk Analysis is not enough to comply with HIPAA, why Meaningful Use compliance can be tied to HIPAA compliance, and the $ 1.5 million fine is a pretty effective statement that you must protect data, not just document it as a risk.

HIPAA BS about Windows XP says “If you determine that THIS system is needed for your operations, and you take appropriate precautions, then it doesn’t have to go.”

I have yet to see any evidence that most healthcare organizations, and their business associates, would be able to effectively implement ‘appropriate precautions’ to mitigate the risks of continuing to use Windows XP after April 8.

Some have suggested isolating network segments containing Windows XP. Is it practical to isolate Windows XP systems from the Internet, servers, and other networked devices? Even if a network is segmented (like quarantining a patient) over time just moving a Windows XP computer to an unprotected location could cause a data breach.

Most small practices I know do not have the hardware and software— or the knowledge and experience to properly implement it— to effectively protect patient data. I also doubt large organizations will be able to adequately protect against Windows XP threats.

Maybe I am cynical, but when an organization the size of Advocate Health Care’s medical group—the Chicago area’s largest physician group, with more than 1,000 doctors and 200 locations—did not follow its own internal policies and had 4 million patient records breached, I wonder how effective controls protecting Windows XP systems will be even if they are managed by a full-time IT staff.

Companies that produce anti-virus and malware protection software won’t be able to help.

Microsoft says:

Without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported.

Symantec says:

Running XP SP3 (or lower) and Office 2003 after the end of support date may expose the company to potential security and compliance risks. Worth consideration is also fact that aside of vulnerable systems it is expected for several third party software vendors to stop support of their applications on XP Platform after April 2014 as well – this adds additional danger of vulnerable applications and multiplies the possible infection vectors.

The Electronic Health Records Incentive Program ‘Meaningful Use’ guidance requires that you:

  • review all electronic devices that store, capture, or modify electronic protected health information
  • comply with HIPAA
  • continue to review, correct or modify, and update security protections
  • correct any deficiencies (identified during the risk analysis) during the reporting period
  • review and update the prior analysis for changes in risks

Meaningful Use Core Measure 14 says you must:

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

The Meaningful Use guidance could have been a little clearer because ‘45 CFR 164.308(a)(1)’ is the HIPAA Security Rule, which has required a Risk Analysis since 2005.  You must conduct the risk analysis and also must implement security updates (which will not be possible in Windows XP after April 8) and correct identified security deficiencies (like compensating for the risks associated with systems that cannot be protected with patches and updates.)

In its Myths & Facts the Meaningful Use Office of the National Coordinator includes the following guidance:

My security risk analysis only needs to look at my EHR.

False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone).

I only need to do a risk analysis once.

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

Before I attest for an EHR incentive program, I must fully mitigate all risks.

False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

Each year, I’ll have to completely redo my security risk analysis.

False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.

Gather the most facts you can, and make the most reasonable decision for your patients and your organization. I recommend that order if you want to avoid data breaches and compliance issues.

originally written for 4MedApproved