Does the HIPAA Security Rule Require Use of a Certain Operating System?

Does the HIPAA Security Rule Require Use of a Certain Operating System? Does the HIPAA Security Rule Require Use of Certain Operating System? HHS provides sample business associate agreements. Am I required to use the sample BAAs provided by HHS?
With the pending sunset for Windows XP support on April 8, 2014, many have started asking the question of whether the HIPAA Security Rule requires use of a certain operating system to be compliant.

The Department of Health and Human Services has addressed this issue in a FAQ answer:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?

No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.  Additionally, any known security vulnerabilities of an operating system should be considered in the covered entityís risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
See https://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html.

The sunset means that Microsoft will no longer be providing new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates for Windows XP. But, the sunset dates are different for Windows Embedded Products that are based on the Windows XP OS. As Microsoft explained in a recent blog post:
Windows Embedded products have their own distinct support lifecycles, based on when the product was released and made generally available. It is important for enterprises to understand the support implications for these products in order to ensure that systems remain up to date and secure. The following Windows Embedded products are based on Windows XP:

  • Windows XP Professional for Embedded Systems. This product is identical to Windows XP, and Extended Support will end on April 8, 2014.
  • Windows XP Embedded Service Pack 3 (SP3). This is the original toolkit and componentized version of Windows XP. It was originally released in 2002, and Extended Support will end on Jan. 12, 2016.
  • Windows Embedded for Point of Service SP3. This product is for use in Point of Sale devices. Itís built from Windows XP Embedded. It was originally released in 2005, and Extended Support will end on April 12, 2016.
  • Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008; and Extended Support will end on Jan. 8, 2019.
  • Windows Embedded POSReady 2009. This product for point-of-sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released in 2009, and Extended Support will end on April 9, 2019.
See https://blogs.msdn.com/b/windows-embedded/archive/2014/02/17/what-does-the-end-of-support-of-windows-xp-mean-for-windows-embedded.aspx.




This FAQ post, and the information on this website, has been prepared for general information purposes only. The information on this website is not legal advice. Legal advice is dependent upon the specific circumstances of each situation and the jurisdiction of each state. The information contained here is not guaranteed to be up to date. Please consult legal counsel in your state to discuss your specific circumstances.

December 2020
SuMoTuWeThFrSa
12345
6789101112
13141516171819
20212223242526
2728293031

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the Stateís Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
HIPAA (3)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)