Join ADAMember Log In




Microsoft to discontinue support for Windows XP

Could expose some dentists to security risks and lead to HIPAA violations


Dr. Licking
Microsoft will discontinue its technical support for Windows XP as of April 8, which could put dental practices that still use the operating system at increased risk of serious security problems.

For dental practices that use Windows XP and that are covered under the Health Insurance Portability and Accountability Act, it may be prudent to review and, if appropriate, revise their HIPAA Security risk assessment and security measures.

Security updates that help protect PCs against newly discovered vulnerabilities will no longer be provided for Windows XP as of that date. The operating system will still work after April 8 but computers may become more vulnerable to security risks, according to Microsoft.

The antivirus software for Windows XP called Microsoft Security Essentials will continue to receive regular updates until July 14, 2015.

Other antivirus vendors are also expected to continue to provide updates.

These security risks could lead to data breaches that would require dental practices to notify their patients and government officials, and could expose them to liability for violating state data security laws. They could also be at risk of violating the Payment Card Industry Data Security Standards, a set of standards developed by the payment card industry to protect credit and debit card data.

But it may be an oversimplification to state that any covered health care provider using an XP work station or server after April 8 is automatically violating the HIPAA Security Rule, according to Dr. Mary A. Licking, chair of a working group of the Standards Committee on Dental Informatics.

The HIPAA Security Rule includes two standards that should prompt covered dental practices that are currently using Windows XP to develop a transition plan to Windows 7 or 8, Dr. Licking said. The "Risk Analysis" standard requires a covered dental practice to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered practice. The "Security Management Process" standard requires covered practices to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with general requirements of the Security Rule.

"These requirements basically mean that covered entities must be aware of privacy threats and adjust their policies, procedures, and, sometimes, their office computer networks to respond to changes in their threat environments in an appropriate manner," Dr. Licking said.

Older computer operating systems, like Windows XP, may be more vulnerable to hacking attacks over open networks and to computer viruses, Dr. Licking said. They can also crash without warning, exposing data to possible loss, she said. Once a developer like Microsoft stops offering support for an operating system, no more security patches or bug fixes will be available.

"Vendors of products that run on the old operating system, like dental practice management software, may cease support for those products as well, exposing the client to the risks posed by bugs, crashes, data loss and other security problems," Dr. Licking said. "It's more prudent to use a reasonably current operating system that's supported so that the organization can continue to receive security patches, software updates and technical support necessary for meeting the HIPAA Security Rule's technical requirements."

Microsoft encourages its customers to upgrade their operating system to Windows 8.1, if their PC can handle it. Windows 7 is also an option. Dental practices that are planning to transition away from Windows XP should consult with their technology vendors to devise a prudent and appropriate migration path.

For more information on HIPAA requirements, visit ADA.org/8753.aspx. The Office for Civil Rights also has information on the law at hhs.gov/ocr/privacy. To learn more about the Payment Card Industry Security Standards Council, visit pcisecuritystandards.org.

The ADA Complete HIPAA Compliance Kit (J598) is available from the ADA Catalog, catalog.ada.org, and includes a manual, the training CD-ROM and a three-year update service. The kit is $300 for members and $450 for nonmembers.