As of April 8, 2014, Microsoft will no longer “support” Windows XP, the business operating system first released in 2001 and officially replaced by Windows Vista in 2007. Even though Windows XP has not the primary business solution for Windows in a number of years, statistics show it still has a 40 percent market share among businesses, including countless medical group practices.
No longer supporting the software means, in layman’s terms, that security updates and patches, as well as updates, will no longer be available. The software will continue to be usable but, over time, will potentially become more vulnerable to breakdown or malware attack.
Those vulnerabilities have lead many experts to conclude that use of Microsoft XP after April 8 would be considered an automatic HIPAA security rule violation, because the practice could not ensure the security of patient protected health information (PHI) within its possession.
Because Microsoft would no longer be issuing security patches for Windows XP, the practice cannot guarantee that the data is secure, which is perceived as a violation of
Others have suggested it may not be an automatic violation, assuming that you have conducted a HIPAA risk analysis under Security Rule 164.308 (a)(1)(ii)(A), and that the risk analysis makes clear that one security risk for the practice is that the practice uses Microsoft XP, which increases the practice’s vulnerability because it is no longer supported by Microsoft, and the steps that practice has taken to address that vulnerability.
HIPAA does not mandate minimum necessary operating systems for compliance, so if electronic PHI is not stored on the operating system, or is secured through other manners, such as encryption, then the mere presence of Microsoft XP may not automatically cause a violation.
But even if you decide to take the second option, keep Microsoft XP and address it in your risk analysis, it’s a short-term solution at best. The reality is, you’ll continue to face an increased risk under the Security Rule and, at some point, your data including patient PHI will be compromised. Everyone agrees that’s a HIPAA violation.
Add to this the increased likelihood of HIPAA compliance audits, the onus is on your practice to step up data protection and HIPAA readiness in a big way. We’ll explore ways to do that.
HHS tool to aid assessment
Given that HHS holds primary responsibility for enforcement of HIPAA through the Office of Civil Rights (OCR), a good first place to start reviewing your security preparedness is the risk assessment tool for HIPAA compliance now available from HHS.
The tool, released at the end of March, was created by the HHS Office of the National Coordinator for Health Information Technology and OCR, and is intended to help practices conduct and document a risk assessment.
You can do the assessment in two ways. First, visit http://www.healthit.gov/providers-professionals/security-risk-assessment to get started. At that point, you have the option of creating print versions of the assessment tool, or going through it interactively online by downloading the tool and walking through each area of HIPAA compliance to assess your own status and vulnerability.
HHS divides its assessment into three functional areas – administrative safeguards, technical safeguards and physical safeguards. Each area within the risk assessment contains questions and answers designed to capture your current level of preparedness and expose potential gaps.
There are approximately 150 areas to address as part of the HIPAA security assessment tool, with about 70 in the administrative safeguards, 42 in technical safeguards and 38 in the physical safeguards. Each is based on the HIPAA standards that are part of the rule.
Doing the assessment under the tool won’t solve your security problems and your results will depend in large degree on your candor while taking the assessment.
Here’s an example: In the technical safeguards section, one of the questions is “Does your practice implement safeguards, to assure that ePHI is not accessed while en-route to its intended recipient?”
When you answer no, the next area probes to determine why, with the options being cost, complexity, practice size or alternate solution. The tool then provides space to describe current activities, include additional notes and detail a remediation plan.
You would then be asked to rate your overall vulnerability of ePHI and the impact that would have on your practice. After this area, typical and common threats to ePHI are detailed as a resource, as well as ways to safeguard it.
The biggest threats to ePHI, of course, are unauthorized or unintended use and disclosure to someone who isn’t supposed to see or have the information. Safeguards suggested are to implement technical security measures, assess the risk of interception of ePHI during transmission and to implement encryption.
These safeguards are a combination of reminders of what is required under HIPAA (technical security measures) and other standards for compliance.
Where the tool becomes intuitive is that the next area addressed following ePHI security are questions asking about encryption, which is generally considered to be among the best methods of assuring PHI security.
This area is built the same way as the previous section, but focuses the same probing questions on encryption to determine what the practice knows about this area. What makes encryption especially attractive is that when your data is not encrypted, any unauthorized access to your equipment automatically results in patient PHI being considered to be compromised.
Consider the Windows XP example above, or consider even the more common occurrences of lost or missing laptops or tablets. Encrypted data are still considered to be protected in this instance because it is not assumed to be compromised just because the device has been compromised.
Doing the risk assessment across all three areas is a time-consuming, but worthwhile endeavor. HHS notes that the tool is designed to be done at the pace most comfortable for the practice. To give you some idea of the length and comprehensiveness of the analysis, it runs to approximately 440 pages when printed out.
Difference between compliance and security
Even when you are fully compliant with the Security Rule, it doesn’t mean you are immune from violations. Consider that, according to a recent Washington Post report, Target was considered to be compliant with the industry standards for accepting credit cards just two months before one of the largest credit card breaches in history occurred at the retailer.
In the same article, industry expert Maureen Kaplan, managing director of healthcare cloud and security for Verizon Enterprise Solutions, suggests you consider separating patient health records from your general network.
She also suggested some long-standing best practices, including reviewing your user permissions closely and making sure people can access only the PHI needed to do their job. Engineer your permissions policy to put the burden of proof onto the person who feels like he or she needs the expanded access to do their job. Don’t design a network that errs on the side of granting access.
Be prepared to change and re-think how you protect patient data, especially as the need for data security changes based on the types of data you are storing and how fast you are using it. New trends such as the patient centered medical home and other wellness initiatives will make it critical for health care providers to be prepared to share patient PHI with one another electronically, and more quickly.
Health payers are cracking down on paying for duplication and payment policies are pushing care toward being provided in more of a team-centric environment. Those factors suggest the need for providers to share data more nimbly, while still maintaining the highest level of data security for patient PHI.
There’s always insurance
As noted by attorney Lon Berk in the Law360 journal, tread carefully when looking at cyberinsurance. There are a rapidly increasing number of policies on the market that purport to protect your data.
Berk asserts that most policies being sold aim to protect against data loss and exposure of PHI. In theory, that would be a big part of what a practice needs for its own security. But the bigger threat is to infrastructure, including malware attacks on centralized computer systems that can reverberate to the networks practices use for their own data.
These types of attacks, which could damage practice systems, are the ones that are typically excluded from cyberinsurance policies, even when the loss of compromise of PHI could be collateral damage of such an attack.