by Derek Brost
By now, you’ve probably heard a growing choir of consultants and industry professionals harping on the perils of running Windows XP on devices that carry patient data. The argument goes that since Microsoft is ending its support for that operating system, data stored on XP-powered devices is at serious risk for breaches, hackers, and other cyber dangers. “Hurry up and upgrade your Windows or else!” goes the warning. Don’t believe everything you read.
The real challenge
We don’t mean to diminish the importance of addressing XP as an unsupported platform. Yes, it’s a problem. But the real challenge is that Windows XP is just one of many unsupported, unpatched platforms operating life-saving devices today. Removing all XP platforms from your hospital will do little to improve your risk profile.
In reality, many medical devices (including major diagnostic and therapeutic devices like CT scanners, MRIs and lab machines) carry at least eight versions of Windows that predate XP as well as several versions of DOS, the iconic black screen of the 1980s.
Remember when you used to play Atari? Hospitals still use devices with operating systems from that era to diagnose and treat patients, as well as capture and maintain their data today. (You’ll likely find one just down the hall from you as you read this.) As for devices running on more current versions of Windows, most of them haven’t been patched either.
We worry about keeping financial systems up to date, so why wouldn’t we take the same care toward medical devices that can be corrupted just as easily, jeopardizing the health of patients and their data?
Why not upgrade all systems?
The primary obstacle to upgrading all systems, in three letters, is the FDA. Because medical devices are FDA-regulated machines, we can’t treat them as conventional computers, updating their software, patching operating systems, slapping anti-virus or encryption capabilities as we wish. By doing so, we would be altering their FDA-approved state, potentially corrupting the device’s function or the data stored in it.
Rather, the FDA requires that any modifications to a medical device must be validated, regression-tested and cleared by the manufacturer first. No one is implying that this requirement is a bad thing; just a necessary safeguard designed to ensure data accuracy and patient safety.
What to do
Outside of working with manufacturers to update medical device software, what’s a healthcare provider to do? Below are four steps for greater security and compliance:
- When conducting your HIPAA-mandated risk assessment, be sure to include every place where ePHI resides in your facility. Think beyond traditional computers and tablets. A typical hospital averages two medical devices per bed that capture, store or transmit ePHI. That includes behemoth devices like MRIs all the way down to more ordinary patient care tools like pulse oximeters or IV pumps that regulate medicine dosages. If it has patient data in it, it’s subject to HIPAA.
- Evaluate if legacy systems connected to your network really need to be connected. Are there more secure ways to get the data from a device to the network, such as downloading information to an encrypted USB device, then uploading it to the network where or when needed? Not all devices need to “talk” to each other, the Internet, or your network. Limit those capabilities where no real need exists.
- Determine if you need to keep information on a medical device once you’ve put it in the patient’s chart. Why leave test results on a laptop-based medical device when they are so easy to steal? If nothing else, remove old exams on a regular schedule — daily, weekly or monthly — ensuring that they are appropriately transferred to your EHR.
- Because Windows is such a common operating system, many hospital employees use it to check email, download personal files, access their Facebook profile or surf the Internet on medical equipment between patient studies. Define acceptable use policies for medical devices, then educate staff and ensure they don’t misuse those devices in your facility.
If you do nothing else, please observe the first recommendation: complete a risk assessment that captures all places where ePHI is stored in your organization. Not only does that assessment fulfill a vital HIPAA requirement, but it’s also the foundation for identifying your true risk level and steps necessary for greater ePHI security and compliance.
Armed with those findings, you’ll be able to identify high-impact steps that don’t waste your resources on short-sighted Band-Aids like a Windows XP witch-hunt, which only addresses a small part of the problem.
Derek Brost is the Chief Security Officer for eProtex. He spearheads the development and implementation of solutions to health IT security and HIPAA compliance demands. As such, he oversees risk assessment and mitigation efforts for more than 100 healthcare facilities nationwide.