by Matt Smith
The end of Windows XP is right around the corner—as of April 8, 2014, Microsoft will no longer be providing support and security updates to the 13 year old operating system. It’s estimated that as many as 1/3 of the PCs still in operation—many of them in medical and dental offices—are running XP.
What does this end of support mean for your practice? Can you still get away with running the older operating system?
The End of XP Also Means the End of HIPAA Compliance
The most important thing to know is that after April 8, Windows XP will no longer be HIPAA compliant. HIPAA Security Rule section 164.308(a)(5)(ii)(B) states that you must implement “procedures for guarding against, detecting, and reporting malicious software.” Since XP’s manufacturer (Microsoft) will no longer be providing security updates, it is vulnerable to attacks and data loss.
Installing a firewall and an anti-malware program is not good enough—you can still be held liable for failure to comply. This could lead to suspension of certifications or, in cases where confidential information is loss, payment of monetary damages.
Using an unsupported XP system is not just a “paper” threat, either, but a real risk to your data integrity and network security. This is because many of the security patches that are issued for Windows 7 and 8 can be reverse engineered to design attacks for Windows XP.
Newer versions of Windows also include improved security features that make them much less susceptible targets. In fact, according to some estimates, Windows 8 is 21 times less likely to be infected by malware than is Windows XP, and that’s before the end of support.
Not upgrading may also may you ineligible for new software and upgrades and could limit your ability to take advantage of technologies like virtualization and cloud computing that can enhance the security and accessibility of your infrastructure.
What You Need to Do
Upgrade. Start now.
There are two basic ways to go about this—you can either install a newer version of Windows on your already-existing machines, or you can purchase new or refurbished machines with Windows 7 or 8 already installed. Which option you choose will depend on a few things: you budget, the state or your current technology (are your machines still in good condition and capable of being upgraded?), the time you have to devote to this project, and your software requirements.
The other major decision you have to make is which operating system you are going to move to. Windows 7 is tried-and-true. It’s been used and stable for years. Its user experience is also very similar to that offered by Windows XP, so there will be little to no learning curve for your employees. Windows 8, on the other hand, is Microsoft’s latest and greatest. It includes enhanced features and will be the longest-supported of the operating systems that are currently available. It does offer a bit more of a challenge in getting used to the system, but there are ways around that.
Better Patient Experience
Besides the security and compliance benefits, there may be a number of others. Replacing outdated computer equipment, for example, could speed up the patient flow in your office as you are able to check people in and out and find and update information much faster.
You may also choose or need to implement updated software while you are making the change to a new version of Windows. You may want to look into a solution that allows patients to see and view updates to their charts or accounts online, thus allowing them to be more in-touch with their healthcare.
Steps to Migration
You don’t have very much time left to make the change, but still, you need to do things right or you could cause more problems for yourself in the long run.
- Contact vendors to see what you need to do to move your software/licensing – This is a critical step. Make sure that your current software is going to work on a newer version of Windows. If not, you may need to upgrade or find a new solution.
- Make a plan to ensure that office operations will not be disrupted by the upgrade – It’s probably not a good idea to try to upgrade all your systems in one day. Work with a consultant or a service and move a few systems at a time so that your business can keep working while you’re making the move.
- Back up your data and settings – This may be obvious, but it still needs to be said. Don’t try moving to the new system without somehow backing your data and settings up. You don’t want to lose everything just because you somehow make a mistake in the upgrade process.
- You need to upgrade everything – You need to upgrade all your machines—even the ones that are not connected directly to the internet, and even ones that you don’t think contain any patient data. Nearly every machine in a medical practice deals—directly or indirectly—with information that is HIPAA-regulated. Isolated machines are held to the same standards as internet-ready ones, and you may be held liable.
What If I Really Can’t Upgrade Before the Deadline?
If you haven’t started the migration process already, there’s a good chance that you may not get a chance to upgrade all of your computers before April 8. While you need to understand that these machines will no longer be HIPAA-compliant, there are some steps that you can take to limit your risk of attack:
- Download the last updates from Microsoft – Make sure your machines are all up-to-date with the latest patches and security upgrades up to and including April 8.
- Get good anti-virus, anti-malware, and firewall software – These things won’t make you compliant, true, but they can block and identify threats for you.
- Stop using Internet Explorer – Get a browser that will continue to patch security holes.
- Remove vulnerable plug-ins and third party software – As useful as they are, Flash and Java are traditional weak spots in many computer systems. Get rid of any unnecessary programs or software.
- Don’t use an administrator account – Remove administrator permissions from the account you use most frequently.
- Disconnect from the internet if at all possible – If it’s not possible, go to only websites that you trust and are needed for the continued operation of your practice.
- Upgrade as soon as possible – Don’t put it off—make the change as soon as you can.
Are you still using XP? What has been your experience?
Matt Smith works for Dell and has a passion for learning and writing about technology. Outside of work he enjoys entrepreneurship, being with his family, and the outdoors.