Tuesday, January 21, 2014
Microsoft’s discontinuation of support for Windows XP and Office 2003 on April 8, 2014 may place dental practices at risk of HIPAA compliance.
The discontinuation of Windows XP support means no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates will be released. Running Windows XP Service Pack 3 and Office 2003 after April 8 may expose your practice to potential risks, such as:
- security and compliance risks caused by unsupported and unpatched environments; and
- lack of independent software vendor and hardware manufacturers’ support.
According to Patrick Cannady, manager of dental informatics for the American Dental Association, this also means that dental practice management system vendors are going to be asking their clients using XP to switch to Windows 7 or 8. This may involve replacing hardware as well.
Cannady said older operating systems (like XP) can have more known vulnerabilities, making them prime candidates to hacking attacks and malware like viruses, root kits, and Trojans. In addition, old operating systems, no matter how stable, familiar, and dependable, can and will crash without warning, exposing data to possible loss.
Likewise, products running Windows XP, such as dental practice management software, will likely have vendor support canceled as well, exposing practices to the risks posed by bugs, crashes, data loss, and other security problems.
Cannady points out that HIPAA Security does require two standards that would make a dental practice currently using XP to begin devising a transition plan to Windows 7 or 8. They are a “Risk Analysis” and a “Security Management Process.” These two standards require a covered dental practice to:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the Covered Entity; and
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with general requirements of the Security Rule
“The risk analysis and risk management process requirements mean that a covered entity must maintain an awareness of its threat environment and adjust its security measures in a reasonable, prudent, appropriate manner,” he explained.
Another consideration is the 2013 HIPAA Omnibus Final Rule, which makes business associates of covered entities, including dental practice management software vendors, liable for the same civil monetary penalties as covered entities for HIPAA violations.
Dental practice owners will need to examine their options carefully, he explained. While it may be possible to implement a supported operating system in a phased manner, Cannady said it needs to be done without neglecting the other requirements of the HIPAA Security Rule.
He added that it’s prudent and appropriate for practices to use a reasonably current and supported operating system so the practice can continue to receive security patches, software updates, and technical support necessary for meeting the HIPAA Security Rule’s technical requirements.
Dentists with questions about this and other HIPAA issues should visit the ADA’s HIPAA Privacy and Security website. An article covering this topic will also appear in an upcoming issue of ADA News, or contact Cannady at 312-440-2760.