This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
● Industry Watch SECURITY

Windows XP: Threat to ePHI security and compliance? Don’t believe everything you read.

By Earl Reber

By now, you’ve probably heard a growing choir of industry professionals harping on the perils of running Windows XP on devices that carry patient data. T e argu- ment goes that since Microsoft is ending its support for that operating system, data stored on XP-powered devices is at seri- ous risk for breaches, hackers and other cyber dangers. Don’t believe everything you read.

The real challenge We don’t mean to diminish the importance of addressing XP as an unsupported platform. But the real challenge is that Windows XP is just one of many unsupported, unpatched platforms operating life-saving devices today. In reality, many medical devices carry at least eight versions of Windows that predate XP, as well as several versions of DOS. Removing all XP from your hospital will do little to improve your risk profi le.

Why not upgrade all systems? Since medical devices are FDA-regulated machines, we can’t treat them as conventional computers, updating software, patching operating systems, slapping anti-virus or encryption capabilities as we wish. By doing so, we would be altering their FDA-approved state, potentially corrupting the device’s function or the data stored in it. Rather, the FDA requires that any medical device modifi cations be validated, regression-tested and cleared by the manufacturer fi rst.

What to do Outside of working with manufacturers to update medical device software, what can you do?

NETWORK VULNERABILITIES Dell documents cyber criminal tactics

Wondering what cyber attacks were most prolifi c last year – or what’s on the horizon for mid 2014 and beyond? Well the Dell SonicWALL T reat Research Team has you covered. Using real-time threat information collected anonymously

from more than 1 million connected sensors around the world, the company’s researchers have put together the “2013 Dell SonicWALL Security T reat Report,” released March 2014. Key fi ndings include that there were nearly 80 billion incidents worldwide last year of remotely accessed malware. Java was the No. 1 targeted application, followed closely by Internet Explorer and Adobe Flash Player. T e SonicWALL team also documented a rise in bots relying on SSL-encrypted commu- nication to command-and-control servers, which are attacks designed to evade detection by disguising communication in an encrypted session. SonicWALL threat researchers also saw cyber criminals begin to deploy ransomware that leverages asymmetric key

6 June 2014

encryption to encrypt critical data on infected machines. T ey observed “a new Cryptolocker Trojan that, un- like traditional ransomware, leaves system access intact but encrypts various documents and executables found on the system.” Sophisticated “hybrid” malware that infects both mobile and desktop systems is also expected to increase, with Android being the leading targeted platform. T e Windows XP and Windows 7/8 operating systems will also see a rise in attacks. Dell says that its SonicWALL security solutions detected

and prevented 1.06 trillion IPS incidents and 1.78 billion malware downloads in 2013. Download the full report at


1. When conducting your HIPAA risk assessment, include every place where ePHI resides in your facility. From MRIs to pulse oximeters, a typical hospital averages two medical devices per bed that capture, store or transmit ePHI. If it has patient data in it, it’s subject to HIPAA.

2. Evaluate whether legacy systems connected to your net- work really need to be connected. Are there more secure ways to get the data from a device to the network, such as downloading it to an encrypted USB device, then uploading it to the network?

3. Determine if you need to keep information on a device once you’ve put it in the patient’s chart. Why leave test results on a laptop-based medical device when they are so easy to steal? Remove old exams on a regular schedule, ensuring appropriate transfers to your EHR.

4. Because Windows is such a common operating system, many clinicians use it to check email or surf the Web between patient studies. Defi ne acceptable use policies, then educate staff .

If nothing else, please observe our fi rst recommendation: Com- plete a risk assessment that captures all places where ePHI is stored. Not only does that assessment fulfi ll a vital HIPAA requirement, but it’s also the foundation for identifying your true risk level. Armed with those fi ndings, you’ll be able to identify high- impact steps that don’t waste your resources on short-sighted Band-Aids like a Windows XP witch hunt, which only addresses a small part of the problem.

Earl Reber is the Executive Director of eProtex, a medical device security and compliance fi rm with more than 18,000 HIPAA risk as- sessments under its belt. He can be reached at

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28