Windows XP
The question of compliance is not a technical argument. It’s a question about regulatory compliance and enforcement.
You can read all the technical discussions on the forum about HIPAA and XP, but none will matter if the enforcement agency is a bunch of lawyers (they are) and have an official resource for guidance that says XP systems should be phased out (they do.)
The US Dept. of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA, which is a collection of vague requirements like “You must protect devices against malicious software.”
The detail on how to comply is not up to people to argue, because the National Institute of Standards and Technology (NIST) is a government agency that provides specific guidance on technologies.
From NIST Publication 800-66 (revised) -- Do employees know the importance of timely application of system patches to protect against malicious software and exploitation of vulnerabilities… Procedures for guarding against, detecting, and reporting malicious software…
Those won’t exist for XP after April 8, 2014.
This letter from the federal Information Security and Privacy Advisory Board says that “Outdated (e.g., unsupported) computer operating systems should be phased out.”
It goes on to say that “Microsoft data shows that XP gets infected at a rate almost 10 times greater than a modern 64-bit system (see (click here for details)) and “Continuing to use XP after that date (4/8/2014) will magnify security risks and associated mitigation costs, considerably...
There would be an immediate and significant benefit from implementing this policy. The gain in replacing outdated operating systems with more current versions that employ modern security techniques may be larger than that coming from the Trusted Internet Connections (TIC) program, continuous monitoring, or wider implementation of Homeland Security Presidential Directive (HSPD)12 - worthwhile programs in their own right, but without the broad and relatively fast impact that could be achieved through operating system upgrades.”
Stop thinking like IT guys for a minute and think like government auditors and data breach investigators, who are lawyers. If you found an XP system on a network after the security updates expire, particularly after a breach, would you rely on the technical argument of an ASCII member or the guidance published for all to see by the government that is paying you and wrote the rules?
This guidance can be used with other organizations — both regulated and non-regulated — not just HIPAA Covered Entities and Business Associates.
Semel Consulting works with Covered Entities, Business Associates, and Subcontractors to properly manage HIPAA compliance.
MIKE SEMEL | www.SemelConsulting.com