Windows Security, HIPAA, and Xoran—what you need to know
Are you concerned about Windows 7 computers in your office?
If your IT Department is designing policies toward ensuring HIPAA compliance in 2020 and strengthening network security, here’s what you need to know—
The U.S. Department of Health & Human Services section on Health Information Privacy provides the following statement:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
HIPAA stipulates that organizations must implement procedures for detecting, guarding against, and reporting malicious software.
What this means for your practice, your patients, and the MiniCAT computer attached to your MiniCAT:
Xoran has always taken its HIPAA responsibilities seriously and has designed and updated its products, as well as policies and procedures, to remain current with the U.S. compliance requirements.
Xoran HIPAA Windows 7 Statement
Xoran does not rely solely on the computer system’s operating system (or platform) to secure patient data. Patient information is safeguarded to prevent the use of, or the disclosure of, the protected health information other than as provided for through the Xoran software. Patient information is protected without solely relying on the operating system security. Xoran system security complies to all HIPAA security requirements.
In addition, as a part of every Xoran purchase, Xoran establishes a Business Associates Contract, which creates a relationship between Xoran and its Customers that ensures both parties keep patient data safe and secure, and HIPAA-compliant.
Read the HIPAA Business Associate Agreement Facts:
Business Associate Contracts. A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
Microsoft Windows Support is “strongly” recommending that Windows 7 users upgrade to Windows 10. Your MiniCAT software will continue to run on Windows 7, and Xoran will maintain HIPAA compliance. If your practice’s policy is to upgrade practice computers to Windows 10, please call (800) 70-XORAN, or email email@example.com for more information and a quote.
As always, Comprehensive Service Plan customers will receive priority access to the Windows 10 upgrade, along with preferred pricing.
An Important Note about Third-Party Service Providers
Xoran does not support non-Xoran-approved software to be installed on any computer connected to the MiniCAT. Similarly, Xoran does not support any non-Xoran-approved hardware to be installed. We recommend that all service be performed by Xoran’s fleet of certified service engineers and never by an uncertified third-party who may compromise the MiniCAT’s security and compliance integrity.
Xoran’s responsibility to the FDA, state regulatory agencies, its customers, and the patients who are helped by the MiniCAT, means that any unauthorized third party hardware or software connected to or installed on a MiniCAT can potentially void your Xoran Service Agreement.
Please contact Xoran before authorizing any updates or changes to your MiniCAT.