Windows 7 - A Major HIPAA
Automation Concepts has been advising our clients for months now to upgrade their existing Windows 7 systems to Windows 10 Professional or Enterprise before the end of support, which was January 14, 2020. While most companies were able to complete the upgrades before the deadline, many are still running Windows 7 and are now risking heavy fines in the event of a breach.
The HIPAA Security Rule (45 C.F.R. § 164.308 (a)(5)(ii)(B) requires that all software used by Covered Entities and Business Associates be kept current and up to date with updates from the software vendor. If a vendor no longer supports a software program, it cannot be used. On January 14, 2020, Microsoft ended all support for Windows 7. Now that date has pass and simply having a Windows 7 computer on your network is considered a HIPAA violation.
One of the biggest reasons we hear not to upgrade is; “E only use the systems to log into our cloud application, and that is fully compliant”. It makes no difference if the cloud application is compliant, a single non-complaint system on your network makes your entire network non-compliant.
The next thing we hear is; “But I read somewhere that we can still use Windows 7.” So, we did a little research to make that we were not missing anything. We headed over to https://yourhipaaguide.com/ to get a second opinion and here is what they have to say:
From Microsoft’s Windows 7 Web page:
Support for Windows 7 is ending. All good things must come to an end, even Windows 7. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running Windows 7. But you can keep the good times rolling by moving to Windows 10.
Is Windows 7 HIPAA Compliance still possible?
Yes, if you are using Windows 7 now, you can still achieve compliance. However, after January 14th, 2020 that won’t be possible. As stated above, even having a single Windows 7 computer on your network at the time will be an instant violation of HIPAA regulations. Extended support for Windows 7 will end and no new updates will be available from Microsoft. This includes updates for any new security holes that are found in Windows 7 after that date.
Because of its popularity, many Covered Entities and Business Associates are still using Windows 7. Migrating a large number of computers will take time and planning. The main issue will be ensuring it’s done before attesting for Meaningful Use.
No meaningful use using Windows 7
Where this becomes very serious is when a Covered Entity goes to attest under MIPS for Meaningful Use. Meaningful Use requires that Covered Entities also attest that they are HIPAA compliant. If a Covered Entity is using a Windows 7 computer next this year (2020) and goes to attest, this will be an issue. Especially since the entity is stating they are compliant when it’s not possible that they are.
What do you need to do?
Here are some steps you can follow to get migrated over to Microsoft Windows 10 and remain in HIPAA compliance.
- Perform a Risk Assessment: If you haven’t already done so, do a thorough Risk Assessment of your practice (or business). This will reveal all of the computers that are running Windows 7.
- Assess your current hardware: Will you need new hardware? If so, how will you go about purchasing them? If your current computers will be able to handle Windows 10, then you can move forward.
- Plan your Windows 10 Migration: If you need to purchase new computers, get them ordered now. If your computers are good, have your MSP do the Windows 10 updates. Microsoft doesn’t publish it widely, but you can still upgrade to Windows 10 at no charge if you are using Windows 7.
- Dispose of old Windows 7 computers: Your old Windows 7 computers will still have Protected Health Information on them. The hard drives need to be wiped with a secure wipe method before you dispose of them. If you engage an outside service, make sure they provide you with a certification of destruction to add to your own HIPAA documentation. This will validate that you performed your due diligence to destroy the PHI that may have been on the old hard drives.
Other Microsoft software that is not HIPAA compliant
Another issue waiting to bite practices and their business associates will be servers running Windows Server 2003 and 2008. Windows Server 2003 was retired in 2015 and Windows 2008 will be was retired at the same time as Windows 7, January 14, 2020. Servers are often used for longer periods than workstations and because of this, they are forgotten. If you are using a server with either of these operating systems, it is time to upgrade. The issue is, however, that the servers will also likely need to be replaced. Servers that old won’t be able to run the newer Microsoft operating systems for servers. Installing a new server is a much more prolonged process than changing your workstations. It involves relocating practice management and EMR data, setting up a new domain for your office and setting up security for compliance.
The HIPAA Security Rule requires that all Covered Entities or Business Associates use software that is supported by the vendor. If the software is no longer supported, it is not HIPAA compliant. On January 14, 2020, Microsoft will retire ended support for Windows 7, one of its most popular operating systems. If your practice (or business for Business Associates) is still using Windows 7 on your network, the time is now to start planning your migration to Windows 10. 2020 is just a few months away and will be here soon enough is past. Start taking action now so that you won’t have a Windows 7 HIPAA compliance issue in your practice. Windows 10 upgrades are still available for free for users of Windows 7, so there is no reason not to upgrade. If you are still using Windows 7 after January 14, 2020, and attest for MIPS, then you will have another issue since part of attesting is stating your HIPAA compliance.