By now, you’ve probably heard a growing choir of consultants and industry professionals harping on the perils of running Windows XP on devices that carry patient data. The argument goes that since Microsoft is ending its support for that operating system, data stored on XP-powered devices is at serious risk for breaches, hackers, and other cyber dangers. “Hurry up and upgrade your Windows or else!” goes the warning. Don’t believe everything you read.
The real challenge
We don’t mean to diminish the importance of addressing XP as an unsupported platform. Yes, it’s a problem. But the real challenge is that Windows XP is just one of many unsupported, unpatched platforms operating life-saving devices today. Removing all XP platforms from your hospital will do little to improve your risk profile.
In reality, many medical devices (including major diagnostic and therapeutic devices like CT scanners, MRIs and lab machines) carry at least eight versions of Windows that predate XP as well as several versions of DOS, the iconic black screen of the 1980s.
Remember when you used to play Atari? Hospitals still use devices with operating systems from that era to diagnose and treat patients, as well as capture and maintain their data today. (You’ll likely find one just down the hall from you as you read this.) As for devices running on more current versions of Windows, most of them haven’t been patched either.
We worry about keeping financial systems up to date, so why wouldn’t we take the same care toward medical devices that can be corrupted just as easily, jeopardizing the health of patients and their data?
Why not upgrade all systems?
The primary obstacle to upgrading all systems, in three letters, is the FDA. Because medical devices are FDA-regulated machines, we can’t treat them as conventional computers, updating their software, patching operating systems, slapping anti-virus or encryption capabilities as we wish. By doing so, we would be altering their FDA-approved state, potentially corrupting the device’s function or the data stored in it.
Rather, the FDA requires that any modifications to a medical device must be validated, regression-tested and cleared by the manufacturer first. No one is implying that this requirement is a bad thing; just a necessary safeguard designed to ensure data accuracy and patient safety.
What to do
Outside of working with manufacturers to update medical device software, what’s a healthcare provider to do? Below are four steps for greater security and compliance:
If you do nothing else, please observe the first recommendation: complete a risk assessment that captures all places where ePHI is stored in your organization. Not only does that assessment fulfill a vital HIPAA requirement, but it’s also the foundation for identifying your true risk level and steps necessary for greater ePHI security and compliance.
Armed with those findings, you’ll be able to identify high-impact steps that don’t waste your resources on short-sighted Band-Aids like a Windows XP witch-hunt, which only addresses a small part of the problem.
Derek Brost is the Chief Security Officer for eProtex. He spearheads the development and implementation of solutions to health IT security and HIPAA compliance demands. As such, he oversees risk assessment and mitigation efforts for more than 100 healthcare facilities nationwide.
© 2018, TechNation Magazine. Site designed by MD Publishing, Inc.