Local Hospital still uses XP
-
Went to a doctor's appointment this morning. While I was there I noticed that every computer that I saw, registration, physicians, ultrasound tech, etc... all running Windows XP SP3.
I thought HIPPA required a supported/patched operating system, or was I mistaken by this.
-
HIPAA does, I believe. But it does not require a current one. As long as all patches for XP have been applies, they probably meet the HIPAA stated requirements, if not the intent.
-
@scottalanmiller said:
HIPAA does, I believe. But it does not require a current one. As long as all patches for XP have been applies, they probably meet the HIPAA stated requirements, if not the intent.
Well that just sounds nuts! From HHS website:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
Answer:
No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
Reading these "answers" make my head hurt. It sounds like you could get screwed depending on who is reading the "rules" or guidelines. And of course everyone is an "expert".
-
Yes, HIPAA is not a set of rules, it is a set of guidelines. It must be interpreted. This was to avoid the pharmaceutical industry's issues where they mandates rules instead of guidelines and ended up forcing the whole industry to be unpatched and insecure.
-
All of these guidelines or rules are just a giant cluster - it leads to being audited by two different individuals one finding you fine with your setup, the other not, and you will little recourse when you're found not in compliance other than simply upping yourself to the standards that the 'not' person wants.
We had a fire inspector come through a few years ago.. we had to replace all of our medically approved power strips with new ones because a new test code was released and the in place strips hadn't be tested specifically against those new codes, yet the currently produced one were identical save for the new test code stamped on them.
In this case it was just a way for a business to sell more widgets. What a sham!
-
Reminds me of this guy at Spicecorp one time. He thought he was cock of the walk, talking about PCI compliance. He made a statement that wifi can NEVER be used per PCI compliance.
Like HIPAA, PCI compliance is a guideline, there is nothing verboten. Yes, wifi could be "hacked" but also leaving interfaces unsecured is also a violation.
Of course, I love the "cloud" hosts who claim they are HIPAA compliant.
