When answering the question of “Is Windows HIPAA compliant ?”, one comes to the same answer as any other Operating System or software solution: it depends. First, Windows is not inherently non-HIPAA compliant. It is possible to set up a workstation built on the Windows platform that fulfills all of the requirements of each aspect of HIPAA. However, there are many caveats for which one has to account for.
For example, using an older version of Windows, such as the ubiquitous Windows XP, leaves one well into the realm of non-compliance. In short, Microsoft stopped releasing security updates and declared that Windows XP would no longer be supported as of April 8, 2014. This means that if an exploit is to be discovered for XP, even one as catastrophic as giving administrator privileges with a few keystrokes, it will not be fixed by Windows. Why is this? Basically, a software company can only be expected to support old software for a certain amount of time. XP is long-since legacy software, despite its pervasiveness and popularity. It has been supplanted by not one, but three subsequent releases of Windows (two of which are considered similarly reliable or better).
XP was widely found in workstations used by clinical staff, CT machines, and many other critical medical devices. In the past, when Microsoft was still supporting XP and releasing frequent security updates, it did fulfill the rules of HIPAA. Many of these devices were or are still connected to electronic medical record systems, and disconnecting them is not a viable option [since the users still need access to these systems]. The first line of defense is upgrading. If one’s company is on top of things, this is accomplished already. XP becoming unsupported was no surprise, and was a long time coming. In fact, the end-of-life date was pushed back several times. In some cases, legacy applications that only run on XP are required. If this is the case, the only real option that does not leave one non-compliant is to work with the vendors for these programs to find versions that are compatible with those versions of Windows that are potentially HIPAA compatible (such as Windows 7 or Windows 8). If no suitable versions can be found, it’s not just a good idea to find alternatives that will, it is a requirement. Inability to upgrade is no excuse for HIPAA violations and will not remove liability.
However, with all of this in mind, it’s worth noting that having a computer still running Windows XP on a network that is HIPAA compliant is not an automatic failure of a HIPAA audit. There has been some talk that the rhetoric that would lead one to this assumption was drummed up by Microsoft’s publicity department in an effort to ship more copies of the newer versions of Windows. While this may be the case, there are many instances where an XP computer in a company’s workflow can represent a point of failure in HIPAA simply by nature of its software. It is imperative that HIPAA professionals continue to do their frequent risk analyses and find alternatives to XP where possible.
In the unlikely case that an XP computer is absolutely central to the functioning of a company, locking it down carefully could mean the difference between a colossal failure to pass a HIPAA audit or a narrow pass. It is also worth mentioning that even if it’s decided that leaving an XP machine on a network is mission critical today, it may not be so tomorrow. Wherever possible, look for ways to move away from old legacy software, especially Windows XP.