HIPAA Compliance for XP Users
Recently, Microsoft has discontinued support for the Windows XP Operating System, causing concern for many doctors about maintaining compliance with HIPAA regulation for patient privacy and data security. This document outlines the steps taken to secure any remaining Windows XP systems that cannot be upgraded due to critical hardware that is not compatible for a Windows 7 upgrade.
Am I required to update all workstations to Windows 7/8?
No. HIPAA regulation states that measures must be taken in order to secure each workstation existing on a doctor’s network. This includes Windows 7 and 8 workstations as well as the XP stations we provide with some machines. This allows flexibility for practitioners to use their older equipment that cannot be upgraded to the latest operating systems but still maintain high security in their infrastructure.
What do I do?
Securing a business network is best accomplished by trained and certified IT Professionals. They have the expertise to evaluate a business infrastructure and build a complete solution for security and data integrity, including but not limited to data encryption, network level security, and disaster recovery planning. It is essential for end users to consult with IT Professionals to ensure their network is properly secured to safeguard data from being compromised by outside sources.
Firewall – This is built into all Windows Operating Systems. This can be enabled and used to prevent any unauthorized network connections to the system. This is also available on most routers for network level security.
Anti-Virus – This is a must. All systems should have anti-virus software installed to protect against any malicious software applications that could compromise data.
Disable Internet Explorer – Internet Explorer for Windows XP will not be upgraded. Due to this, vulnerabilities found after the end of support will not be patched. Google Chrome and Firefox are 2 options available for continued support and security patches.
Restricted User Access – This is configured within Windows Operating Systems and control what applications and data users are allowed to access and modify.
Fine Grained Permissions – This is a more detailed control at the file level to determine which users can view, open, modify, or delete a file or folder.
Multi-User Login – This is best practice for a business environment. It is also an option to have a single-user login, but this account must be restricted to the lowest available user permissions to maintain compliance.
Physical Location and Access – It is highly recommended to store any patient databases on server grade systems. However, if server storage is not possible, the database can be stored on another computer system (Windows 7 or higher) as long as it is locked and secured.
User Timeout – It is required for any system that can access patient data to have a 10-minute timeout period, in case any operators walk away from the system with patient data on-screen. It is highly recommended to also use a screensaver that will activate at a sooner interval to hide any patient information that may still be on-screen at the time.
Additional Security Options
Drive-Level Encryption – There are software applications available to encrypt the entire hard drive in a system, this way in the event a system is lost or stolen, the data on the drive is rendered unusable to any unauthorized person. **It is highly recommended to do a full data backup and create a system image before encrypting a drive**
Intrusion Prevention/Detection – These exist as hardware appliances or software applications that will provide extra layers of security in the event a network is compromised. It will notify the IT Administrator so they can act immediately and mitigate any possible theft or loss of data.
Disconnect From Internet – By removing the gateway setting, this will disconnect internet access so this system will not be visible from the network’s gateway (router). This can be configured so the user can click on a file on their desktop to switch between connecting and disconnecting from the internet in the event they need support from Vatech on their system.
Disable Removable Devices – Many instances of data theft happen on-site with physical access. By disabling removable devices, nobody will be able to plug in a flash drive or extract data on a CD. This is managed in the computers Local Security Policy, or on Active Directory Domains, using Group Policy.