The time has come: Microsoft has put the final nail in the coffin for Windows Vista. As detailed on its support site, Microsoft will no longer ship new security updates, non-security hotfixes, or even free or paid assisted support options as of April 11.
While the HIPAA Security Rule does not specifically require particular supported operating systems, “Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.” (Microsoft)
The US Department of Health & Human Services (HHS) addresses the issue directly but it does mandate requirements for information systems that contain electronic protected health information (e-PHI).
Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.
Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s Risk Assessment (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, because the operating system is no longer supported by its manufacturer).”
This means that, while it’s not a HIPAA violation to use Windows Vista after 4/11/17, you must address the threats in your Risk Assessment. Realizing that you know what can happen and have a plan to minimize the risk (described in the Risk Assessment). This plan should include a timeline to move away from Windows Vista in the future because it’s not sustainable to continue using that operating system indefinitely. However, this does give you a little time to slowly changeover, minimizing the potential financial impact.
The myopic misunderstanding by some non-tech savvy business people that they will be safe running Windows Vista because they have a firewall and anti-virus (anti-malware) is completely incorrect. The cybercriminals of today are not a laughing matter. Often funded by organized crime and foreign governments these criminals are sophisticated, well-funded and technically skilled. Having a simple firewall and anti-malware solution will not stop the persistent threat. Running a vulnerable operating system is asking for HIPAA headaches.
Continuing to use Windows Vista after 4/11/17 (or other unsupported operating systems) becomes a HIPAA violation if it’s not addressed in your security Risk Assessment. As the risks increase over time, you are obligated to keep the Risk Assessment updated. Eventually, you will need to switch to a supported operating system as it will remove the burden of worrying if you are in violation of HIPAA.
Cytek Safeguard™ offers a full comprehensive risk assessment and can easily organize what you need to pass a HIPAA audit. Cytek Safeguard™ is a cloud portal that provides you and your staff everything you need to become compliant and pass an audit.
Lastly, work with a trusted IT partner or IT service provider. The investment will be worth its weight in gold in reducing downtime, spiraling costs and potential HIPAA enforcement costs. Don’t let this scare you but instead enlighten you to positive action in the future. Technology always requires planning and effort but its effective gains will always prove a wise investment. Tech Evolutions provides IT Support for over 100 Health care providers nationwide.