Safeguard your PHI from security threats.
Did you know that your faithful old companion laptop could land you in hot water, especially if you still cling to Windows XP in your office? Well, you are not alone! Despite the fact that Microsoft officially stopped supporting the Windows XP Operating System in April 2014, about 250 million users worldwide are still actively using Windows XP, according to the website redmondmag.com.
Read on to know how this affects your practice and what measures you can take to avoid any potential damage.
Background: With Windows 10 around the corner, it’s high time users let go of their Window XP operating system (OS). Microsoft has repeatedly warned that this software, no more supported by Microsoft, is prone to security vulnerabilities that will eventually put the users at risk. Microsoft has stopped providing security updates for XP. Now, using such an unsupported OS may eventually land you into trouble, or even suspension of certification, audits, and public notification of your organization’s incapacity to maintain confidential information.
“Many offices are aware of this because of the changes to EMR,” tells Doreen Boivin, CPC, CCA, with Chiro Practice, Inc., in Saco, Maine.
Know What the Office of the Civil Rights Has to Say
Does the security rule mandate minimum operating system requirements for the personal computer systems used by a covered entity? The Security Rule was written to allow flexibility for covered entities and implement security measures that best fit their organizational needs.
According to a statement from the Office for the Civil Rights (OCR), “The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI).” These requirements may include technical safeguard standards such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.
The OCR adds further, “Any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).”
Here Is What You Can Do
As a once and for all solution, you may want to do the obvious: update all your devices that use Windows XP. This may even turn out to be cost effective, given the vast amount of fines that organizations have paid for lost information in the recent past to the tune of $1.5 million in fines for a lost laptop! If you have a larger office, you may need to hire an IT professional for the job because upgrading means replacing both hardware and software.
Buying time: If upgrading is not feasible right now, and you would like to buy some more time, you may like to go by the latter half of the OCR guidelines. At the least, you should begin by formalizing a plan to identify and minimize potential security risks from Windows XP. To be HIPAA compliant, the minimum requirement is that you do a formal risk analysis in writing. You should also be “addressing” those risks, i.e. device documented strategies to minimize those risks.
What’s more, you plan should also include a timeline that leads to eventually upgrading your OS. You would ultimately have to replace your XP systems as a final solution to this aspect.
Plus: Have a chiropractic compliance officer within your practice who stays abreast of the changing times and helps your office maintain compliance in the areas of HIPPA, coding, fee schedules etc.
“If the provider isn’t able to have a staff member take care of this then they should reach out to colleagues, local associations, the ACA,” suggests Boivin. “It’s important to have compliance in place. It’s part of OIG.”