HIPAA & Windows 7

On January 14, 2020, Microsoft is ending security updates and patches for Windows 7
Because it will be defenseless, just having a Windows 7 computer on your network will be a HIPAA
violation— which also makes you non-compliant with Meaningful Use. Windows 7 will be a time bomb
that could easily cause a reportable and expensive breach of electronic Protected Health Information
(ePHI.) HIPAA fines and loss of Meaningful Use money can far outweigh the expense of replacing your
old computers. 

The HIPAA Security Rule requires that you protect patient information. Without system patches and updates, which will not exist for Windows 7 after January 14, this will be impossible with Windows 7. NIST guidance goes into more detail.

Some 7 defenders have used this FAQ answer from the Office for Civil Rights that the HIPAA Security Rule does not mandate specific operating systems to claim that continued use of Windows 7 is allowable.

• The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI).. the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications …Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).

This is not the sole guidance on protecting health information, and should not be taken alone because HIPAA also requires Risk Management of vulnerabilities identified in the Risk Analysis. What often are ignored by those wanting to keep Windows 7 are the rest of the HIPAA Security Rule, the HIPAA Omnibus Final Rule, Meaningful Use requirements, and HIPAA enforcement penalties. These must all must be considered together when protecting health information. For example, if you list an unsupported operating system as a vulnerability then you must define how you will implement effective risk management to protect patient data. This will be impossible for organizations that want to keep Windows 7 and also must comply with HIPAA.

What Experts Say

Continuing to use Windows 7 after (January 14, 2020) will magnify security risks and associated mitigation costs, considerably…
Because of ever-advancing threats, the risks of continuing to use obsolete (and soon unsupported) software are unacceptable.          -US Information Security and Privacy Advisory Board

Without critical Windows 7 security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows 7 itself is unsupported.        -Microsoft 

Running 7 after the end of support date may expose the company to potential security and compliance risks. Worth consideration is also fact that aside of vulnerable systems it is expected for several third party software vendors to stop support of their applications on 7 Platform after January 2020 as well – this adds additional danger of vulnerable applications and multiplies the possible infection vectors.        –Symantec Corporation