We started working with our clients on replacing XP machines in their technology plans in 2013. No one is surprised when we come calling for the last few they have installed in 2014. They have been hearing we were removing them for a long time. But, not everyone has had that much warning it seems.
It isn’t unreasonable for Microsoft to retire the OS, after all, it was originally released in October 2001. Computing has changed drastically since then. But, what you really want to know is does it mean you need to get rid of XP on your network to be HIPAA compliant.
Technically, many people have argued that having XP alone on the network does not place you outside HIPAA compliance guidelines. I disagree with that position.
Yes, there are no specific compliance rules that say XP can’t be used. But you are supposed to interpret the rules to apply across all situations and sizes of organizations, not verbatim. If I do that I can not allow my clients to keep any XP devices on a network connected in any way to PHI.
Here are specific points as they apply to specific security rules, IMHO.
164.306(a)(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
One should reasonably assume that once Microsoft officially no longer supports XP that it will become a prime target for malicious attacks. In fact, I would not be surprised if some hackers have found security holes and have been holding on to them to use after the patches stop.
Who would seriously argue the point to OCR, if there is a breach caused by attacking your XP device, that it was reasonable to believe it was adequately secured with no security patches from Microsoft?
164.306(b)(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity or business associate.
(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
If we consider the complexity and costs of replacing an XP device vs the software security capabilities of the device along with the probability and criticality of potential risks – I am pretty sure replacing the device will win in most cases. I haven’t found one where it didn’t yet but assume it could happen.
164.308(a)(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
(ii) Implementation specifications. Implement:
(A) Security reminders (Addressable). Periodic security updates.
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
Protection from malicious software would be limited, at best, if there are no security updates applied to a system. Even management is supposed to know that practice is not acceptable according to HIPAA.
Still with all that in mind, you should assess which devices run XP, what they are used for and perform your own risk analysis and mitigation plan for each device. You may feel differently but we haven’t found a case where keeping an XP device was an acceptable risk. As with all compliance decisions, it is up to you to decide and document what risks you are going to mitigate and what you are going to accept.
You will, however, be hard pressed to find any security expert tell you that once the XP machines are no longer updated, they will remain acceptable very long. XP really isn’t considered a solid security OS as it is, so having no one patching holes in it’s security could make it a gaping hole in your security framework.