Windows XP & HIPAA Compliance

It isn’t new news – yet some have buried their head in the sand for far too long. As of April 8th 2014 Microsoft will no longer be support Windows XP in any form. This means that users of Windows XP will not receive patches, security updates or support moving forward. This effectively makes running XP an impossibly risky and dangerous proposition for any organization wanting compliance, stability, security of their IT infrastructures. We in the IT community term it “perpetual zero day” which means it will be perpetually vulnerable with no ability to remediate or fix it. This is especially bad for healthcare IT organizations attempting to maintain compliance with HIPAA as the fines and damages to brand and organization are quite stiff. For example:

WellPoint Settles HIPAA Security Case for $1,700,000 – July 11, 2013
Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 – June 13, 2013
Idaho State University Settles HIPAA Security Case for $400,000 – May 21, 2013
HHS announces first HIPAA breach settlement involving less than 500 patients – December 31, 2012
Massachusetts Provider Settles HIPAA Case for $1.5 Million – September 17, 2012
See more example at the HHS website

In my Boston based healthcare IT focused technology consulting practice over the last year I’ve received a LOT of questions about the coming end of Microsoft Windows XP from new healthcare IT customers. Thankfully my existing customers are 100% rid of XP and running on the many alternatives such as Windows Apple OSX, Windows Vista/7/8 and Linux. To those of us in the technology community this is old news and we’ve long since removed XP from our networks.

Time to Upgrade XP

The takeaway is simple: XP should be replaced with all due swiftness but a larger takeaway exists from this situation. I describe it as the Xpocalypse or end of days for Windows XP. Simply said, plan to upgrade asap! Microsoft makes this infinitely clear on the their Security Blog: “There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft.” See the full post at the MS Security Blog.

Windows XP is a Perpetual Zero Day

Yup it's time to upgrade to anything else!According to Microsoft’s director of Trustworth Computing: “Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero day’ vulnerability forever,” A zero day is a vulnerability that is not yet known by the vendor itself but it is by the underground cybercriminal community. This effectively means cybercriminals can endlessly exploit XP with impunity and users will have no way to defend against it. See the full post at the MS Security Blog.

“Securing” XP is a No Longer Possible

The myopic misunderstanding by some non-tech savy business people that they will be safe running Windows XP because they have a firewall and anti-virus (anti-malware) is completely incorrect. The cybercriminals of today are not a laughing matter. Often funded by organized crime and foreign governments these criminals are sophisticated, well funded and technically skilled. Having a simple firewall and anti-malware solution will not stop the persistent threat. Running a vulnerable operating system is asking for HIPAA headaches. Additionally, we in the information security community know that cybercriminals have been hording yet to be published vulnerabilities that will exploited without any way for you to defend against them. Simply put, XP is risk business for HIPAA compliance and Information Security perspective.

Rid of all EOL/EOS (End of Life/End of Support) Software/Hardware

When a vendor announces the end of life or end of support of software or hardware you should start to plan to migrate to a new or upgraded solution. Simply put: the security, compliance and real economic harms dramatically outweigh the “cost savings” of not upgrading.


Often problems bring a silver lining. With the case of XP EOL/EOS we have an opportunity to rethink the desktop. No longer do we have to spend lots on our desktop machine but instead we can use low end machines or even recycle those we have and instead use virtualization technology to consolidate our desktop infrastructures into VDI. Virtual Desktop Infrastructure moves your desktops into the world of virualization on a consolidated server. It reduces the cost and complexity of your desktop infrastructure and improve your security and compliance.

Work with a Trusted IT Partner

Last, work with a trusted IT partner or IT service provider. The investment will be worth its weight in gold in reduced downtime, spiraling costs and potential HIPAA enforcement costs. Again, I hope this doesn’t scare you but instead enlighten you to positive action in the future. Technology always requires planning and effort but its effective gains will always prove a wise investment.

Joseph P. Guarino has a long history of producing business results with the application of information technology. Joseph's expertise span over 15 years in the private sector at leading technology firms and consulting organization. With Evolutionary IT, he saw a market need to bring his transformative knowledge and expertise to firms in the New England area and worldwide. Joseph is driven by a strong desire to see customer's thrive with the best business solutions. Evolutionary IT evolved out of this desire to bring a new level of quality IT solutions, align them with business goals and give customer's a competitive edge.
Posted in Information SecurityTagged , , ,  |  9 Comments

9 Responses to "Windows XP & HIPAA Compliance"

Leave a reply