HIPAA & Windows 7

Why you should Replace Windows 7 Before January 14th 2020. Now is the time to upgrade to Windows 10.

On January 14, 2020, Microsoft is ending security updates and patches for Windows 7
Because it will be defenseless, just having a Windows 7 computer on your network will be a HIPAA
violation— which also makes you non-compliant with Meaningful Use. Windows 7 will be a time bomb
that could easily cause a reportable and expensive breach of electronic Protected Health Information
(ePHI.) HIPAA fines and loss of Meaningful Use money can far outweigh the expense of replacing your
old computers. 

The HIPAA Security Rule requires that you protect patient information. Without system patches and updates, which will not exist for Windows 7 after January 14, this will be impossible with Windows 7. NIST guidance goes into more detail.

Some 7 defenders have used this FAQ answer from the Office for Civil Rights that the HIPAA Security Rule does not mandate specific operating systems to claim that continued use of Windows 7 is allowable.

  • The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI).. the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications …Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
This is not the sole guidance on protecting health information, and should not be taken alone because HIPAA also requires Risk Management of vulnerabilities identified in the Risk Analysis. What often are ignored by those wanting to keep Windows 7 are the rest of the HIPAA Security Rule, the HIPAA Omnibus Final Rule, Meaningful Use requirements, and HIPAA enforcement penalties. These must all must be considered together when protecting health information. For example, if you list an unsupported operating system as a vulnerability then you must define how you will implement effective risk management to protect patient data. This will be impossible for organizations that want to keep Windows 7 and also must comply with HIPAA.

What Experts Say

The HIPAA Security Rule is all about

implementing effective risk management

to adequately and effectively protect EPHI.

National Institute of Standards and Technology (NIST)

To comply with HIPAA, you must continue

to review, correct or modify, and update

security protections.

Meaningful Use Office of the National Coordinator for Health Information Technology

The Electronic Health Records Incentive Program ‘Meaningful Use’ guidance requires that you:
  • review all electronic devices that store, capture, or modify electronic protected health information comply with HIPAA
  • continue to review, correct or modify, and update security protections
  • correct any deficiencies (identified during the risk analysis) during the reporting period
  • review and update the prior analysis for changes in risks