After recently reading about another major data breach, this time at the second largest chain of hospitals in the United States, I was shocked to realize how vulnerable my medical information is. Not simply attributed to malicious hackers, this incident shows the possibility of software security vulnerabilities within medical facilities.
On April 8, 2014, Microsoft announced the final expiration of support for its Windows XP operating system (OS). The website for Windows XP stated that the much needed security patches would no longer be offered and recommended users to upgrade to the latest Windows OS. Estimates put the number of personal computers (PCs) running on the software before expiration near 400 million PCs running on Windows XP.
Despite that recommendation, a large percentage of personal computers, including most medical providers, are still using the software. According to Net Market Share, a monitoring system that analyzes website traffic, one in four of all computers on the internet this July used Windows XP. A few companies contracted paid support directly from Microsoft but others did absolutely nothing. Another option some decided was to utilize third party support, which tech experts have warned is ill-advised.
According to the U.S. Department of Health and Human Services website, running expired software in itself is not a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) but entities must have a written policy in place to assess risk.
HIPAA regulates how medical providers address a patient’s private information, data security and breach notification rules. Most of us are familiar with HIPAA from the consent forms we sign at the doctor’s office.
The website also reported HIPAA’s security rule does not have a minimum requirement for operating systems of medical providers or billing providers even if the PC lacks proper security and manufacturer support.
A source within the State of Alaska’s Department of Health and Human Services, on the basis of anonymity, stated third party software support of Windows XP was not advised. The State of Alaska itself spent several million dollars upgrading its operating systems to avoid the software expiration after the Xarelto Lawsuit Bellwether Trials. The state itself had experienced data breaches before. In 2010, over 77,000 Alaskans had their private information compromised while enrolled in the PERS/TRS State of Alaska retirement system.
A call to Providence Health and Service Alaska in Anchorage revealed it is still operating Windows XP with third party support. The facility claims over two million patients in over three states and is the largest medical provider in Alaska. Michael Boyd, Chief Information Security Officer for Providence Health & Services, located in the Portland, Oregon area, said the company contracted Microsoft for continuous support but had no explanation as to the local facility’s software status.
Plans to upgrade the systems and amend the risk analysis were said to be in place. Around the same time as the operating system expiration, just four days after, Providence billing department moved 42 positions out of the state. No explanation, other than consolidation, was given.
So what can a person do to ensure their medical data is safe? Alaska does have a data breach notification law — AS Sec. 45.48.090 (7)] but sometimes an ounce of prevention is worth a pound of cure. In this instance, that ounce will cost medical providers a considerable amount of money to upgrade expired systems but the cost of a breach would be more. Not only do local laws charge fines for data breaches but HIPAA violations can result in federal fines as well. A company that has a breach is also liable for all damages incur by stolen identities.
- Ask your medical provider about their HIPAA policy and review their risk assessment. Questioning procedure helps establishments realize people want to know and forces providers to review their existing rules.
- Call your local representative and request more stringent laws protecting your data. As cliche as this sounds, voicing your concern may be the most important effort to make.
- Take steps to learn best practices with online usage and passwords for yourself. Many medical facilities offer online access to medical records. Always be sure to sign out and never save your password on a browser.
- If you still have Windows XP, now is the time to upgrade. With some investigation, you can choose a cost effective and secure option. Avoid third party plugins. Numerous sites claim to offer support, but with no validation of authenticity you can void your computer’s warranty or possibly download malicious software.
Knowledge is power and technology literacy can help protect your privacy and financial well being. According to the Federal Trade Commission, in 10 percent of stolen identity cases thieves accrued up to $6,000 or more in fees from fraudulent purchases. With proper precautions and awareness, a community and nation have the capability to ensure that your private data is safe.
For More Information on HIPAA: http://www.hhs.gov/ocr/privacy
For the Window XP expiration: http://www.microsoft.com/en-us/windows/enterprise/end-of-support.aspx
For Safe Internet Practices: http://support.dell.com/support/topics/global.aspx/support/security/security_tips