On April 8, 2014, Microsoft ceased providing support for its Windows XP operating system and Office 2003 office suite. Nelson Gomes, CEO and president of PriorityOne Group, a provider of information technology services for ambulatory surgery centers and medical practices, explains the significance of this news for ASCs and what they need to do now if they're still using either of these programs.
Q: What does Microsoft ending support for Windows XP and Office 2003 mean for their future?
Nelson Gomes: While both will continue to work, since they are now unsupported, Microsoft will no longer provide any type of updates or patches to them. Updates and patches serve many purposes, but the most critical from an ASC's perspective is that updates — specifically security updates — protect a computer from security vulnerabilities affecting Microsoft products. Without such security updates and patches, computers running Windows XP and Office 2003 are vulnerable to ongoing security risks.
To make matters worse, if ASC staff uses computers with either the unsupported operating system or office suite for anything involving protected health information (PHI), the ASC effectively becomes non-compliant with HIPAA and the HITECH Act.
Q: How does the end of support affect ASCs?
NG: In short, if ASCs are using computers running the Windows XP operating system and access PHI, continued use by the ASC is a HIPAA violation since the machine is no longer considered HIPAA compliant.
If the computer is not used to access PHI but handles other important ASC data (e.g., billing, human resources, etc.), there is now greater risk of a breach as the computer's security vulnerability risk is much higher.
Q: How can ASCs determine whether they are still using Windows XP and Office 2003?
NG: If you don't know what operating system you are running, you can check by going to this link provided by Microsoft. If a computer does not have Internet access, ASCs should (1) click "Start"; (2) click "Run" or if they see a search field, click in it; and (3) type "winver" (without quotes) and press "Enter." A window will pop up indicating the version of Windows in use.
To determine what version of Microsoft Office is installed, instructions are provided by Microsoft here. These instructions will work regardless of whether a computer is connected to the Internet.
One important note: It is critical to check all desktops and laptops owned by the ASC and used to access the ASC's network, even those not presently in use. In the event that, for example, you hire a new employee and decide to provide him or her with a computer that was in storage, you will not want to risk connecting an unchecked computer that may have one of these unsupported programs to your network.
Q: What should ASCs do now if they are still using computers with Windows XP and/or Office 2003?
NG: The first step will be to develop and fully document a remediation plan for PC replacement or operating system upgrade. While this process does not clear you from the need to become compliant in a timely fashion, in the event that your ASC undergoes a HIPAA/HITECH audit, having a documented remediation plan with timelines indicates your ASC recognizes its non-compliance and has developed means to remediate the security vulnerability.
From an operating system perspective, you will need to determine whether the computer hardware is even capable of running a newer operating system. Ask your designated IT person to conduct an assessment of the computer's hardware resources (e.g., processor, memory, hard drive space), noting any technology that may present challenges to running a new system.
If the workstation has hardware resources to run a new operating system effectively, you can pay for a system license upgrade, backup files, reformat the hard drive and install the new operating system. If the computer's hardware resources cannot effectively handle the new system, you may be able to invest in upgrading the hardware so it meets the new operating system's hardware requirements.
However, the cost of new computers has declined significantly in recent years, so it is now oftentimes cheaper to purchase a new workstation with a new operating system installed rather than purchase new hardware, a new operating system license and pay an IT technician to install these components and configure the machine.
From an office suite perspective, you will once again want to ask your designated IT person to assess the computer's hardware resources and determine whether they can handle a new version of Microsoft Office. If your computer is running a newer version of Windows, there is a good probability it will be able to effectively run a newer version of Office.
Nelson Gomes (ngomes@p1cgroup.com) is the president and CEO of PriorityOne Group (www.p1cgroup.com), a New Jersey-based healthcare IT consulting firm. Gomes has 20 years experience in IT, including 15 specifically in health IT, providing services to ambulatory surgery centers, medical centers and clinics.
More Articles on Surgery Centers:
4 ASCs Performing Rare Pain Management Procedures
15 Statistics on ASC Days Operating Expenses
Overcome Big Revenue Cycle Management Obstacles: Trends & Analysis for ASCs
Q: What does Microsoft ending support for Windows XP and Office 2003 mean for their future?
Nelson Gomes: While both will continue to work, since they are now unsupported, Microsoft will no longer provide any type of updates or patches to them. Updates and patches serve many purposes, but the most critical from an ASC's perspective is that updates — specifically security updates — protect a computer from security vulnerabilities affecting Microsoft products. Without such security updates and patches, computers running Windows XP and Office 2003 are vulnerable to ongoing security risks.
To make matters worse, if ASC staff uses computers with either the unsupported operating system or office suite for anything involving protected health information (PHI), the ASC effectively becomes non-compliant with HIPAA and the HITECH Act.
Q: How does the end of support affect ASCs?
NG: In short, if ASCs are using computers running the Windows XP operating system and access PHI, continued use by the ASC is a HIPAA violation since the machine is no longer considered HIPAA compliant.
If the computer is not used to access PHI but handles other important ASC data (e.g., billing, human resources, etc.), there is now greater risk of a breach as the computer's security vulnerability risk is much higher.
Q: How can ASCs determine whether they are still using Windows XP and Office 2003?
NG: If you don't know what operating system you are running, you can check by going to this link provided by Microsoft. If a computer does not have Internet access, ASCs should (1) click "Start"; (2) click "Run" or if they see a search field, click in it; and (3) type "winver" (without quotes) and press "Enter." A window will pop up indicating the version of Windows in use.
To determine what version of Microsoft Office is installed, instructions are provided by Microsoft here. These instructions will work regardless of whether a computer is connected to the Internet.
One important note: It is critical to check all desktops and laptops owned by the ASC and used to access the ASC's network, even those not presently in use. In the event that, for example, you hire a new employee and decide to provide him or her with a computer that was in storage, you will not want to risk connecting an unchecked computer that may have one of these unsupported programs to your network.
Q: What should ASCs do now if they are still using computers with Windows XP and/or Office 2003?
NG: The first step will be to develop and fully document a remediation plan for PC replacement or operating system upgrade. While this process does not clear you from the need to become compliant in a timely fashion, in the event that your ASC undergoes a HIPAA/HITECH audit, having a documented remediation plan with timelines indicates your ASC recognizes its non-compliance and has developed means to remediate the security vulnerability.
From an operating system perspective, you will need to determine whether the computer hardware is even capable of running a newer operating system. Ask your designated IT person to conduct an assessment of the computer's hardware resources (e.g., processor, memory, hard drive space), noting any technology that may present challenges to running a new system.
If the workstation has hardware resources to run a new operating system effectively, you can pay for a system license upgrade, backup files, reformat the hard drive and install the new operating system. If the computer's hardware resources cannot effectively handle the new system, you may be able to invest in upgrading the hardware so it meets the new operating system's hardware requirements.
However, the cost of new computers has declined significantly in recent years, so it is now oftentimes cheaper to purchase a new workstation with a new operating system installed rather than purchase new hardware, a new operating system license and pay an IT technician to install these components and configure the machine.
From an office suite perspective, you will once again want to ask your designated IT person to assess the computer's hardware resources and determine whether they can handle a new version of Microsoft Office. If your computer is running a newer version of Windows, there is a good probability it will be able to effectively run a newer version of Office.
Nelson Gomes (ngomes@p1cgroup.com) is the president and CEO of PriorityOne Group (www.p1cgroup.com), a New Jersey-based healthcare IT consulting firm. Gomes has 20 years experience in IT, including 15 specifically in health IT, providing services to ambulatory surgery centers, medical centers and clinics.
More Articles on Surgery Centers:
4 ASCs Performing Rare Pain Management Procedures
15 Statistics on ASC Days Operating Expenses
Overcome Big Revenue Cycle Management Obstacles: Trends & Analysis for ASCs