The HIPAA Security Rule requires that all Covered Entities or Business Associates use software that is supported by the vendor. If the software is no longer supported, it is not HIPAA compliant. On January 14, 2020, Microsoft will retire support for Windows 7, one of its most popular operating systems. If your practice (or business for Business Associates) is still using Windows 7 on your network, the time is now to start planning your migration to Windows 10. 2020 is just a few months away and will be here soon enough. Start taking action now so that you won’t have a Windows 7 HIPAA compliance issue in your practice. Windows 10 upgrades are still available for free for users of Windows 7, so there is no reason not to upgrade. If you are still using Windows 7 after January 14, 2020, and attest for MIPS, then you will have another issue since part of attesting is stating your HIPAA compliance.
A new report shows that businesses continue to use older operating systems such as Windows 7, and even Windows Vista, even though they are no longer supported and less secure compared to Windows 10.
The data analysts firm NetMarketShare revealed that Windows 10 has seen a significant uptake in users and it’s close to 50% of market share, but a new report from Kaspersky Security Network suggests that many users are still actively using outdated operating systems like Windows 7 and Vista.
According to new research from Kaspersky, many of its customers are still using Windows 7 and that’s primarily due to its huge number of enterprise users. The research shows that 41% of surveyed customers still use Windows 7.
Even worse, some are still using Windows XP and Windows Vista, which are no longer supported and therefore do not receive security updates.
At least 40% of surveyed customers are very small businesses and 48% are SMBs. Perhaps more worryingly, 38% of customers and VSBs use Windows 7 operating system on small office and home office PCs. Of these surveyed businesses, 47% of SMBs and enterprises are still on Windows 7.
“More than a third (38%) of consumers and VSBs, and 47% of SMBs and enterprises, still run this OS. For small, medium-sized and enterprise business segments, the share of Windows 7 and the newest version Windows 10 (47% of workstations work on this OS) is the same,” the report reads.
“The widespread use of Windows 7 is concerning as there is less than six months to go until this version becomes unsupported,” said Alexey Pankratov, enterprise solutions manager at Kaspersky.
There are less than six months to go until Windows 7 becomes unsupported. According to Microsoft, Windows 7 will officially stop receiving the monthly security updates on 14 January 2020.
In its report, Kaspersky said that an old unpatched OS is a cybersecurity risk and it is highly recommended that users upgrade to the latest version of Windows.
The HIPAA Security Rule (45 C.F.R. § 164.308 (a)(5)(ii)(B) requires that all software used by Covered Entities and Business Associates be kept current and up to date with updates from the software vendor. If a vendor no longer supports a software program, it cannot be used. On January 14, 2020, Microsoft will end all support for Windows 7. After that date, simply having a Windows 7 computer on your network will be a HIPAA violation. Windows 7 HIPAA compliance won’t be possible.
From Microsoft’s Windows 7 Web page:
Support for Windows 7 is ending
All good things must come to an end, even Windows 7. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running Windows 7. But you can keep the good times rolling by moving to Windows 10.
Is Windows 7 HIPAA Compliance still possible?
Yes today, if you are using Windows 7 now, you can still achieve compliance. However, after January 14th, 2020 that won’t be possible. As stated above, even having a single Windows 7 computer on your network at the time will be an instant violation of HIPAA regulations. Extended support for Windows 7 will end and no new updates will be available from Microsoft. This includes updates for any new security holes that are found in Windows 7 after that date.
Because of its popularity, many Covered Entities and Business Associates are still using Windows 7. Migrating a large number of computers will take time and planning. The main issue will be ensuring it’s done before attesting for Meaningful Use.
No meaningful use using Windows 7
Where this becomes very serious is when a Covered Entity goes to attest under MIPS for Meaningful Use. Meaningful Use requires that Covered Entities also attest that they are HIPAA compliant. If a Covered Entity is using a Windows 7 computer next year and goes to attest, this will be an issue. Especially since the entity is stating they are compliant when it’s not possible that they are.
What do you need to do?
Here are some steps you can follow to get migrated over to Microsoft Windows 10 and remain in HIPAA compliance.
Perform a Risk Assessment:
If you haven’t already done so, do a thorough Risk Assessment of your practice (or business). This will reveal all of the computers that are running Windows 7.
Assess your current hardware: Will you need new hardware? If so, how will you go about purchasing them? If your current computers will be able to handle Windows 10, then you can move forward.
Plan your Windows 10 Migration:
If you need to purchase new computers, get them ordered. If your computers are good, then download the Windows 10 update. Microsoft doesn’t publish it widely, but you can still upgrade to Windows 10 at no charge if you are using Windows 7.
Dispose of old Windows 7 computers:
Your old Windows 7 computers will still have Protected Health Information on them. The hard drives need to be wiped with a secure wipe method before you dispose of them. If you engage an outside service, make sure they provide you with a certification of destruction to add to your own HIPAA documentation. This will validate that you performed your due diligence to destroy the PHI that may have been on the old hard drives.
Other Microsoft software that is not HIPAA compliant:
If you are one of the 5% still using Windows XP, its time to upgrade. Support for Windows XP ended in 2014. Windows XP was such a stable and good operating system, very much like Windows 7, that many people didn’t want to leave it. However, there have been no security updates for Windows XP for many years and it cannot be considered safe. On top of that, it is very much a HIPAA violation.
Windows Vista, one of Microsoft’s least popular operating systems, is used less than 1% of the time. Its support ended in April 2017. If you are still using Vista, this is a HIPAA violation.
Windows 8 was a popular operating system and it still holds 5% of the market. Extended support for Windows 8 will be available until 2023.
Another issue waiting to bite practices and their business associates will be servers running Windows Server 2003 and 2008. Windows Server 2003 was retired in 2015 and Windows 2008 will be retired at the same time as Windows 7, January 14, 2020. Servers are often used for longer periods than workstations and because of this, they are forgotten.
If you are using a server with either of these operating systems, it is time to upgrade. The issue is, however, that the servers will also likely need to be replaced. Servers that old won’t be able to run the newer Microsoft operating systems for servers. Installing a new server is a much more prolonged process than changing your workstations. It involves relocating practice management and EMR data, setting up a new domain for your office and setting up security for compliance.
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!