The HIPAA Security Rule, requires covered entities and business associates to develop effective administrative, technical, and physical safeguards to ensure protected health information (PHI) is secure. The Security Rule does not impose minimum HIPAA operating system requirements for a business’ computer systems.
Indeed, the HIPAA Security Rule generally does not impose any specific HIPAA software requirements (including HIPAA operating system requirements) on entities. No provision of the Security Rule tells you, for example, what kind of antivirus, antimalware, or firewall software to purchase.
The absence of a security rule grocery shopping list is very much by design. The Security Rule was written to provide flexibility for covered entities to implement HIPAA cybersecurity measures that best fit their particular organizational needs.
What are HIPAA Operating System Requirements?
HIPAA indirectly regulates operating system requirements.
The Security Rule mandates requirements for information systems that contain electronic protected health information, or ePHI. ePHI is defined as any protected health information that is created, stored, transmitted, or received in any electronic format or media. Information systems must contain security capabilities, or features, that are sufficient to satisfy the technical safeguard implementation requirements of the Security Rule. These HIPAA operating system requirements include (among others) audit controls, unique user identification, person or entity authentication, and transmission security.
The administrative safeguard implementation requirements of the Security Rule requires that entities perform a risk analysis, in which any known security vulnerabilities of an operating system should be considered. In performing the analysis, entities should ask themselves, “Is my operating system vulnerable to being exploited?
If an operating system is vulnerable to exploitation, the risk analysis must reflect that fact, and you must take whatever steps are reasonable to address the vulnerability.
When is an Operating System Vulnerable to Exploitation?
An operating system is vulnerable to exploitation when that operating system contains known vulnerabilities for which a security fix is unavailable. Security fixes may be unavailable for a number of reasons. One reason why a fix might be unavailable is because the manufacturer of the operating system no longer provides support for that system, as in, no longer provides new security updates, non-security hotfixes, assisted support options, or technical content updates. This “dropping” of support for an operating system is colloquially referred to sunsetting of the operating system.
Microsoft “sunset” its popular Windows XP Operating System in 2014, advising users that security updates would no longer be provided for Windows XP. Microsoft advised users that “Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. PCs running Windows XP after April 8, 2014, are not considered secure.”
Windows XP was launched in 2001. In 2009, Windows released its Windows 7 operating system. The most current version of Windows, known as Windows 10, was launched in 2015.
Microsoft has announced that support for Windows 7 will end on January 14, 2020. After that date, Microsoft will no longer provide security updates or support for computers using Windows 10. Accordingly, Microsoft has advised Windows users, “Now is the time to upgrade to Windows 10.”
Continuing to use an operating system that has known vulnerabilities identified in a risk analysis, does not suffice to meet the required risk management component of the HIPAA Security Rule. Risk management requires organizations to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” By definition, if you are using an operating system that no longer offers security measure support, you are improperly managing your risk, and, if, as a result of that impropriety, your organization’s ePHI becomes compromised, you are subject to being audited and fined by the Department of Health and Human Services’ (HHS’) Office for Civil Rights (OCR).