Hospitals Still on Windows XP Could Mean Loss of HIPAA Compliance

Roughly two weeks ago MLA released a new version of its website.  Right away librarians stuck (due to institutional standards) on IE 8 started complaining that the new MLA site did not display properly on IE 8.  The good news is that the folks at MLA know of this problem and are working with the web developer to fix it and others.  The bad news….the number of librarians stuck on IE 8 might be indicate a bigger problem for hospitals as a whole.  My guess (and this is totally hypothetical) is that a many people who are stuck on IE 8 are stuck because they can’t upgrade to IE 9+ because they are on Windows XP.

My husband works for a company that creates an enterprise content management software system that is used by over 1,500 healthcare provider organizations representing more than 2,500 facilities.  Sometimes our jobs deal with similar issues, sometimes they do not.  This is one of those times that they did.  I happened to mention the whole IE 8 problem with my husband and I think I started to see smoke billow out of his ears.  Since the kids were already asleep for the night, I figured I touched on a hot topic.  He told me that this has been a big problem in healthcare and banking for several years.  Many of the hospitals running IE 8 are also the same organizations that are still running Windows XP.  (While IE 8 can run on Windows 7, IE 9+ cannot run on Windows XP.)  Not only did his company decide to stop supporting XP they recently decided to no longer support IE 8.

Windows XP is NOT supported by Microsoft. Being on Windows XP is a security risk.  Just yesterday the Wall Street Journal, reported on a newly discovered security hole in Internet Explorer versions 6-11 in the article “New Browser Hole Poses Extra Danger for XP Users.” According to the article the “coding flaw would allow hackers to have the same level access on a network computer as the official user.”  Yeah I echo the WSJ in saying “that’s really bad.”  Microsoft is working on a fix, but that fix will not be available to XP users.  The Forbes article title “Microsoft Races To Fix Massive Internet Explorer Hack: No Fix For Windows XP Leaves 1 In 4 PCs Exposed,” pretty much says it all.  A 13 year old operating system still represents 25% of the world’s PCs.  The cyber security software company, FireEye,  revealed a “hacker group has already been exploiting the flaw in a campaign dubbed  ‘Operation Clandestine Fox’, which targets US military and financial institutions.”  While the WSJ article says FireEye said attacks were mainly targeted at IE 9-11, this security flaw is still a major problem specifically because Microsoft will not offer a patch for XP.  Basically once Windows Vista, 7 and 8 machines are patched….what system is left to hack? One that doesn’t even have a patch and users refuse to upgrade.

It isn’t like the XP rug was pulled out from under users.  On the contrary, XP users have know for 2 yrs that XP would be unsupported.  According Forbes, Microsoft “repeatedly sent a pop-up dialog box to reachable Windows XP machines” with end of support information.  Software developers including my husband’s company have warned customers that XP will no longer be supported by Microsoft and as a result they will no longer write software for XP nor support software on XP machines.  My husband told me how they have contacted their hospital clients of regarding XP yet the clients haven’t upgraded nor have any real plans to upgrade immediately.

So we get the fact that have a operating system that is no longer support is bad and could lead to security problems.  But when your a hospital and the security of patient information is paramount to your existence, second only to treating patients, then you have a major problem. The HIPAA Security Rule section 164.308(a)(5)(ii)(B), organizations with sensitive personal health information are required to protect their systems from  malicious software.

Several articles have stated that failure to upgrade from Window XP is a violation of HIPAA.

Mike Semel’s article states, “Just having a Windows XP computer on your network will be an automatic HIPAA violation— which makes you non-compliant with Meaningful Use— and will be a time bomb that could easily cause a reportable and expensive breach of protected patient information. HIPAA fines and loss of Meaningful Use money can far outweigh the expense of replacing your old computers.”

Sound a little drastic?  It doesn’t seem so when you look at Laura Hamilton’s interview with HIPAA attorney James Wieland,

Additive Analytics: Let’s say that a hospital computer is still running Windows XP after the end-of-life (EOL) on April 8. Then a virus compromises the machine, and attackers steal personal health information (PHI). What are the legal ramifications for the healthcare provider?

James: On those facts, it would certainly appear to be a breach, reportable under the HIPAA breach notification rules to the individuals and to the Secretary. Breaches are subject to investigation and may result in penalties.

Hmmm we just found out that there is a major security flaw with Internet Explorer which could lead to a breach and machines running XP will NOT have a fix from Microsoft. What happens when the hacker group that FireEye discovered (or any hacker group) decided to exploit the healthcare side of things?

To me the IE 8 design problem for MLA.net opened my eyes to the greater XP problem within healthcare.

6 thoughts on “Hospitals Still on Windows XP Could Mean Loss of HIPAA Compliance”

  1. I’m glad you’re talking about this, Michelle, but I do want to mention one caveat. Microsoft is offering institutions the (extremely expensive) option of continuing support for Windows XP. The general user of XP doesn’t have this option, but many large organizations like hospitals, banks and governments are paying huge fees for extended Microsoft support of Windows XP.

  2. Yes Laura, companies can pay Microsoft big bucks to privately keep their XP systems running. However, I wonder how many smaller organization are doing this and whether doctor’s offices and practices even know this. I’ve also got to wonder how many organizations (not just hospitals) are paying Microsoft and what the cost benefit analysis of paying to maintain the status quo vs upgrading the system. I realize hospitals have legacy systems but as meaningful use requirements continue to evolve requiring greater integration of systems within the entire hospital network system these legacy systems will not be able to handle that and the hospitals might be face with penalties for failing to meat meaningful use. Out dated, legacy, siloed, systems must be replaced and can no longer be used to justify continuation of older operating systems. That is not moving forward with health IT that is remaining stationary and eventually that leads to being left behind.

  3. A ZDNet article Laura tweeted stated,
    “It’s also worth noting that there is a time limit — which Microsoft is not disclosing — on how long the company will continue to provide XP patches to those users who are paying for CSA coverage. And in order to qualify for CSA coverage, customers must have migration plans with quarterly deployment milestones and a project completion date.”

    So even Microsoft acknowledges the problems of legacy software, but they also won’t be ruled by it. The organization has to have a plan to leave XP (thus they have to deal with the legacy software that “prevents” them leaving) before they can pay extra for Microsoft support.

  4. I agree, it’s particularly worrisome for small hospitals and practices. But another complication for hospitals is the FDA validation process for all medical devices. If a piece of medical equipment is running a version of Windows XP, it can’t be changed by the hospital IT staff. In fact, they can’t touch a validated device and/or software no matter what operating system is being used and have to build other security measures instead, and rely on manufacturers to provide updates. FDA validation is very stringent, so patches and updates can require a lot of work by the manufacturer. See http://geekdoctor.blogspot.com/2013/02/the-security-risks-of-medical-devices.html?m=1 to get a small idea of the problem for hospitals. Your husband might have some first-hand experience of FDA validation, too, since it applies to software involved in patient care.
    I guess my point is ultimately to say that the issue of Windows XP in health care settings is more complicated than one might think.

  5. I’m deeply concerned about small practices and health systems that are unprepared for a move to Win 7. Microsoft extended/custom support is just one piece of the puzzle if an org is looking to prolong their use of XP. There needs to be competent IT admins in Networking, Information Security, Desktop Engineering and Application Support, all working together to safeguard their vulnerable systems. In smaller orgs, these roles are either over tasked or non-existent. My perspective comes from a large org that has a solid IT department, ymmv.

    Safeguarding an out of date XP system has parallels to how FDA validated clinical devices and OSs are protected. Once you’ve got one of these validated systems in your environment, any patches or changes will break your validation. Vendors take months or even years to go through the lengthy and costly validation process so OS patches can be applied, and that’s if they’re willing to embark on the process at all. This results in a need to treat these types of devices as vulnerable systems and develop processes to protect them. If it’s standalone, you airgap it, if it needs to interface with other clinical systems, interface and networking engineers work to build a secure process. For dealing with an XP workstation fleet, if the above methods aren’t options, locking the OS down with a process whitelist would be a potential solution. Products like McAfee Application Control can take a “whitelist snapshot” of a freshly imaged workstation and then prevent any further modification of the OS and installed apps. Again, even in this case there needs to be central monitoring and competent staff administrating the system.

    Quotes from Microsoft for extended/custom support are considered confidential, the following numbers and information is scraped together from internet searching and does not represent actual quotes provided to my org by Microsoft. MS has committed to provide extended/custom support through at least April of 2017 for anyone crazy enough to want to pay. When the sales rep is in front of you, a purchase order is really the only prerequisite for obtaining extended support. Pricing is per workstation, with a floor of 750 devices. For example, in year 1 the floor might be 750 devices @ $200 per device. In year 2, the price per device may go up to $400, and in year 3 $1,000. It’s important to understand that this per device cost only gets you patches for any vulnerabilities that Microsoft rates as Critical. If your org needs a non-critical security hotfix, get ready to cough up an additional $50k PER fix.

    As to the linked articles, if I need a consultant to come in and scare our leadership into action with misleading and false claims, I’ll give Semel a call. He is just FUD spreading with his assertion that simply failing to upgrade is an automatic violation. I can’t regard his comments as anything other than an unscrupulous consultant looking to profit from provoking panic. Wieland provides a much more nuanced perspective, a breach is a breach and can happen on any OS. Whether it occurred on XP, Win 7 or other OS, a breach represents the failure of an organization in its duty to protect PHI.

  6. Very good point that the costs are per workstation and even a small place with 750 workstation is going to see a huge bill for just critical security maintenance. I understand how you feel about Semel, do you know of an author or an article that is less extreme and perhaps presents a less reactionary approach than Semel? I would love to add it to the list of linked articles in order to try and give a more rounded view of the situation.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>