Are Windows XP and Internet Explorer 8 HIPAA Compliant?
(Note: there is a lot of detail here but if you want the “Too Long; Didn’t Read” short version, it can be summed up like this: if you have to keep using Windows XP, get a modern browser like Firefox or Chrome or Opera for accessing My Docs Online.)
Microsoft ended support for Windows XP in April, 2014 and ended support all Internet Explorer versions except IE 11 in January, 2016.
That means Windows XP and older versions of IE (like IE 8, which is commonly found on XP systems) will no longer get critical security patches. This means XP systems and IE 8 both have un-patched security vulnerabilities. In addition, IE 8 may not in the future be able to connect to web servers that employ the most stringent security protocols.
Does this mean Windows XP and IE 8 are no longer HIPAA-compliant?
Due to the language HHS uses in its rules and recommendations that is (at least technically) open to interpretation.
The “Security Rule” avoids mandating minimum operating system levels in order to “allow flexibility for covered entities to implement security measures that best fit their organizational needs”.
However, the rule also offers some important and practical guidance when it adds this important advice:
“…any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).”
In short, if an operating system and/or a browser is no longer supported and has security issues, you might not want to use it for handling electronic Protected Health Information (e-PHI). Read the HHS advice here.
What does this mean for HIPAA compliance and for accessing My Docs Online?
We advise medical professionals to plan for a move to a supported operating system, but recognize that there are cases where this may be difficult or unnecessary, for instance if a particular application requires features only supported in an older browser, or if the computer is not connected to the Internet.
However, we strongly recommend the installation of a modern, supported browser alongside unsupported versions of Internet Explorer, for use in connection to My Docs Online and transfer of e-PHI.
Google Chrome, for instance, was a good option, at least until they announced that no more updates would be available for XP beginning in April 2016.
The developers of Firefox have indicated they Firefox will continue to support XP as long as it remains “popular”, so that may be a good choice for XP users who want to continue to receive browser updates.
The less well known Opera browser is another option, as the Opera continues to support XP for now.
It’s also important to note that web server security restrictions are constantly growing tighter as new threats emerge. Older, weak protocols are disallowed, and browsers that aren’t being updated often can’t keep up. This may result in an old browser simply not being able to connect to our servers, now or in the future.