Its a New Year: Are Your Systems Up to Date?
Something about Calendar Year 2020 feels futuristic. Afterall, it is two decades past the year 2000 (Y2K) - the year when significant problems were anticipated due to the computer programming shortcut related to the formatting and storage of calendar date for dates beginning in the year 2000.
Microsoft Windows 7 AnnouncementOn October 22, 2009 (almost 10 years later), Microsoft released Windows 7. The release was much anticipated due to the difficulties users and administrators encountered with Windows Vista. When Microsoft released Windows 7, they committed to providing 10 years of product support. Fast forward approximately 10 years later, January 14, 2020 is the specific end of support day for Windows 7; meaning, after that day, technical assistance and software updates from Windows Update that help protect your PC will no longer be available for the product. While most computers can be upgraded to Windows 10, there are millions that while considered unsupported, will remain in service. What if your system(s) are still running Windows 7 after January 14, 2010? Is there anything that can be done to mitigate risks? Failure to upgrade to Windows 10 can leave many users dealing with the dreaded "blue screen of death" message from Windows. However, according to CNet, Microsoft is still offering a free download of Windows 10 for a limited time. With over 50% of users still relying on Windows 7, we recommend upgrading to a newer version of Windows to maintain proper protection against threats.
HIPAA Security Rule - What are the Requirements?In the June 2018 Cybersecurity Newsletter, the Office for Civil Rights (OCR) stating that under the HIPAA Security Rule, covered entities and business associates are required to protect their electronic protected health information (ePHI), which includes identifying and mitigating software vulnerabilities of computer programs and systems that could affect the security of ePHI. This includes conducting a security risk analysis (SRA) and implementing measures that reduce risks and vulnerabilities to a reasonable level. From there, OCR guidance for mitigating risks and vulnerabilities. To address the risks and vulnerabilities of Windows 7, consider the following:
In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching as a mitigation solution, entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level (e.g., restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access).
OCR also mentions that identifying and mitigating the risks unpatched software poses to ePHI is important to ensure the protection of ePHI and in fulfilling HIPAA requirements (this includes operating systems such as Windows 7 - and not too long ago, when Windows XP was no longer HIPAA compliant).
Healthcare Compliance Pros recommends making sure your systems are up to date whenever possible. However, we understand upgrades to operating systems is often a big challenge in the healthcare industry - due to the complexity of systems. Therefore, it is important to have a documented plan to mitigate risks of using Windows 7 until your systems can be upgraded. In addition, we recommend maintaining an inventory of these systems including what types of access to ePHI they may have and the reason why they have not already been updated. By implementing controls to mitigate risks with reasonable safeguard, you can reasonably safeguard ePHI and other sensitive data that could otherwise be exploited until you are ready to upgrade.
Have additional questions? Contact us by email: firstname.lastname@example.org or phone: 855-427-0427.