HIPAA and Windows XP

This topic can seem very Ickie and cloudy as it depends on your interpenetration to the rules. I would like to go on the record as saying that it is not wise to use any software that cannot and will not be updated for security vulnerabilities. I have read over the HIPAA compliance rules and many blogs and articles from experts, and although if you were to ask; "Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?" you may find the answer at http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html to be:

• No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.  Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).

However, i would like to point out, as many of my counterparts would do also, the following from the above:

• Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis

I think we all could agree since Windows will no longer patch, or update, and security vulnerabilities  on XP, we could see that a HIPAA compliance test on any XP computer would fail, and cost the company. in an article by Mike Semmel from the blog 4Medapproved.com/HITSecurity; He really does a good job of telling us all how important it truly is to get off of these old, outdated systems. 

Within the electronic code of Federal regulations or e-CFR(found at www.ecfr.gov), Title 45, part 164 subpart c, 

§164.308(5)(a)(1) states: 

• Security reminders (Addressable). Periodic security updates.

and §164.308(1)(i):

• Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

and §164.308(1)(A):

• Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

So i would say with this evidence and the ever decreasing prices of computers, that any company would be farther ahead to pay three to five hundred dollars to replace the computer rather then the fines that could be imposed for the HIPAA Violations.