Windows XP & HIPAA Compliance

It isn’t new news – yet some have buried their head in the sand for far too long. As of April 8th 2014 Microsoft will no longer be support Windows XP in any form. This means that users of Windows XP will not receive patches, security updates or support moving forward. This effectively makes running XP an impossibly risky and dangerous proposition for any organization wanting compliance, stability, security of their IT infrastructures. We in the IT community term it “perpetual zero day” which means it will be perpetually vulnerable with no ability to remediate or fix it. This is especially bad for healthcare IT organizations attempting to maintain compliance with HIPAA as the fines and damages to brand and organization are quite stiff. For example:

WellPoint Settles HIPAA Security Case for $1,700,000 – July 11, 2013
Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 – June 13, 2013
Idaho State University Settles HIPAA Security Case for $400,000 – May 21, 2013
HHS announces first HIPAA breach settlement involving less than 500 patients – December 31, 2012
Massachusetts Provider Settles HIPAA Case for $1.5 Million – September 17, 2012
See more example at the HHS website

In my Boston based healthcare IT focused technology consulting practice over the last year I’ve received a LOT of questions about the coming end of Microsoft Windows XP from new healthcare IT customers. Thankfully my existing customers are 100% rid of XP and running on the many alternatives such as Windows Apple OSX, Windows Vista/7/8 and Linux. To those of us in the technology community this is old news and we’ve long since removed XP from our networks.

Time to Upgrade XP

The takeaway is simple: XP should be replaced with all due swiftness but a larger takeaway exists from this situation. I describe it as the Xpocalypse or end of days for Windows XP. Simply said, plan to upgrade asap! Microsoft makes this infinitely clear on the their Security Blog: “There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft.” See the full post at the MS Security Blog.

Windows XP is a Perpetual Zero Day

Yup it's time to upgrade to anything else!According to Microsoft’s director of Trustworth Computing: “Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero day’ vulnerability forever,” A zero day is a vulnerability that is not yet known by the vendor itself but it is by the underground cybercriminal community. This effectively means cybercriminals can endlessly exploit XP with impunity and users will have no way to defend against it. See the full post at the MS Security Blog.

“Securing” XP is a No Longer Possible

The myopic misunderstanding by some non-tech savy business people that they will be safe running Windows XP because they have a firewall and anti-virus (anti-malware) is completely incorrect. The cybercriminals of today are not a laughing matter. Often funded by organized crime and foreign governments these criminals are sophisticated, well funded and technically skilled. Having a simple firewall and anti-malware solution will not stop the persistent threat. Running a vulnerable operating system is asking for HIPAA headaches. Additionally, we in the information security community know that cybercriminals have been hording yet to be published vulnerabilities that will exploited without any way for you to defend against them. Simply put, XP is risk business for HIPAA compliance and Information Security perspective.

Rid of all EOL/EOS (End of Life/End of Support) Software/Hardware

When a vendor announces the end of life or end of support of software or hardware you should start to plan to migrate to a new or upgraded solution. Simply put: the security, compliance and real economic harms dramatically outweigh the “cost savings” of not upgrading.


Often problems bring a silver lining. With the case of XP EOL/EOS we have an opportunity to rethink the desktop. No longer do we have to spend lots on our desktop machine but instead we can use low end machines or even recycle those we have and instead use virtualization technology to consolidate our desktop infrastructures into VDI. Virtual Desktop Infrastructure moves your desktops into the world of virualization on a consolidated server. It reduces the cost and complexity of your desktop infrastructure and improve your security and compliance.

Work with a Trusted IT Partner

Last, work with a trusted IT partner or IT service provider. The investment will be worth its weight in gold in reduced downtime, spiraling costs and potential HIPAA enforcement costs. Again, I hope this doesn’t scare you but instead enlighten you to positive action in the future. Technology always requires planning and effort but its effective gains will always prove a wise investment.

9 thoughts on “Windows XP & HIPAA Compliance”

  1. I just recently upgraded all my office computers from office XP to Windows 8. It’s definitely going to take some time to get used to, but atleast I wont have to worry about HIPPA compliance issues for a while.

  2. After having been in a loving relationship with Windows XP, I reluctantly bought my copy of Windows 7. I am not even going to touch Windows 8 or 8.1, until all those issues are appropriately fixed! Especially, some of the security flaws that I hear have been purposefully implemented into the OS… In any case, Windows 7 seems like a prettier version of XP to me, with some fairly useful features too.

  3. To me, this seems like Microsoft’s way of getting more people to purchase one of their newer Operating systems, and more specifically Windows 8. I have no idea why they are trying to push their mobile OS onto more PC owners, but in my opinion it is a bad move by the company. Unless of course, this is more of a matter of Windows XP taking too much to maintain any longer, as it continues to be more outdated, but I find that hard to believe. In the end, XP is my favourite Windows OS, closely followed by Windows 7 and somewhere after Windows 98 comes Windows 8 haha! 🙂

  4. I understand that times are moving forward and we should be prepared to learn to use the new operating systems, for some of the older people using Windows XP, it may prove difficult to learn how to use the new ones. Especially, if they end up using Windows 8, which in my opinion creates more issues that it actually solves as an OS.

  5. I am a big fan of Windows XP and using it till last year on my laptop. But after end of security updates I have to switch over to Windows 8. It is bit difficult to understand at first but now it is easy to use. Can you post about Windows 8 and HIPAA compliance.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top