Microsoft ended support to the Windows XP operating system in April 2014. While this may not necessarily put an organization at risk for HIPAA noncompliance, it does introduce several security risk factors that must be mitigated properly in order to maintain HITECH regulatory standards.
With the end of XP support, using XP is an automatic flag to HIPAA auditors unless “reasonable measures” have been documented with its continued use on internal networks.
Organizations now carry the responsibility to evaluate their risk controls for identified XP systems, and these controls may require supplementary procedures and technology solutions. Simply put, recurrent Band-Aid fixes may require some creative IT solutions that may cost more than an upgrade.
However, if you must continue using XP, below are some of the risk factors and solutions introduced by Microsoft XP’s end-of-life lifecycle management date, and proposed techniques to consider to ensure HIPAA/HITECH compliance.
Option 1: Lifecycle Management
Best business practices dictate a system lifecycle management program should be adopted to ensure endpoint computer systems adhere to hardware and software technical standards. By requiring that legacy systems be phased out of the production environment, the development costs associated with continued system support can be avoided. The recommended Systems Development Lifecycle (SDLC) is 4 years with approximately one quarter of systems being replaced each year. With this guidance in place, organizations can take a proactive approach to staying up to date in the face of continually updated standards. While the cost of hardware and software licensing involved in implementing a SDLC solution has traditionally seemed expensive, the cost of continual support will often outweigh any initial fiscal investment. The additional benefit to upgrading is that the degraded speed and efficiency of outdated machines should no longer cause undue complications within an organization.
Option 2: Cloud Terminal Services
By migrating support to a Software-as-a-Service (SaaS) model, organizations can continue to use thin-client hardware and software applications that have outlived their support cycles. One of the key considerations in this solution is the application support that is provided by the IT company that hosts legacy software packages. By utilizing “virtual desktop connections,” organizations can eliminate their reliance on the actual computer OS because the software is running directly off of a secured application server. The downside to this solution is similar in terms of the patch support operational requirements necessary to cover the hardware limitations, from a cybersecurity standpoint.
Option 3: Restricted Access
With the assumption of accepted risks involved with continued XP usage, one method of risk mitigation includes enhancing restricted physical access to machines and ensuring additional network security and anti-virus services are in place. These are critical to malware protection and supplementary to an organization’s overall security posture. This combination of controls can be considered “reasonable measures” and will aid an organization in its commitment to keeping in compliance with HIPAA/HITECH regulatory guidance. By far this is the easiest short-term solution but will require a long-term commitment to additional security services.
Option 4: Legacy Support via Windows Services Update Server (WSUS updates)
The backup option would be to subscribe to an IT solutions company that provides patching services for XP hardware components and compatible software packages. In order to provide this service, the hosting company will need to analyze cybersecurity threat intelligence and develop code that combats emerging hacking techniques that are in use by many of today’s malicious actors to exploit common well-known vulnerabilities.
Contact VCPI to discuss your options in mitigating your risk for noncompliance while using discontinued operating systems.