Hipaa and Remote Desktop

[MichaelsComputerServices]

I have a client that dropped the bomb on me that they're cancelling my maintenance contract. They went behind me and are moving their server to the cloud. I previously had quoted them for new desktops and a new server since they're running XP and Server 2003 and under hipaa. Since they have someone moving their main application to the cloud and are going to be using remote desktop do they still need to upgrade/replace their XP systems? My understanding was that anything that accesses patient data is at risk and since XP is no longer being released security patches it then puts those at risk. I'm trying to convince them that they still need to get rid of XP and also keep me on some sort of contract. What are your ideas?

 

[YeOldeStonecat]

They have a fairly valid stance IMO. In this situation, the workstations are now basically just dumb terminals. If no information is held locally...they have a pretty good argument defending the fact that the computers are still WinXP.

Security through RDP can be the same regardless of XP or Win7 clients.
For my healthcare clients when they have a terminal server I kick it up to be behind TSGateway....to secure it all through port 443 (no 3389 is exposed)..and it forces the RDC to use NTLM authentication. With the latest Remote Desktop Client install on XP and 2x registry edits...they can work through TSGateway.

A lot of HIPAAs rules are gray. There's really no cut 'n dry. I've yet to see actual wording...text...."laws" if you will..that say "Windows XP will have your company FAIL an audit". Much of it is really "best effort"...based on what your agency can afford, can do, and what your plans for the future are.

 

[MichaelsComputerServices]

So the key is no patient information can be stored locally?

 

[frederick]

My understanding of this is a lot like how YeOlde has stated, but with a small addition. Their computers/network will still need protection such as AV, a firewall, etc. As long as the RDP connection is secure, and they still have protection for their systems in place, then they should be good. No information is stored locally, so they wont need everything they had before, but they are still going to be using computers that access ePHI, so the no XP thing may or may not apply.

I've got a client who handles the healthcare insurance, billing, collection, etc., etc., and they have to conform to HIPAA standards all over the place. Their employees work from home, and are given a computer with Windows 7 Professional that actually establishes a VPN upon boot to their server that is co-located for AD/DC, and all other things. The actual ePHI is stored in the "cloud" through another company that provides them a Remote Desktop where they actually perform their work. No client information is stored on these individual computers that the employees use, but they still have an AV on each workstation, that is managed by the companies server. And because the connection is all through a VPN, the server has the firewall instead of the individual employee. From what I've seen, it's not a very impressive server, but it has 2 dedicated ISP's, one is a 10Gbps Fiber, and the other a Cable Internet Connection that caps out at 100Mbps and is used for overflow and as a backup. They moved from XP to 7 back in January, and I was part of going to each of their employees here in Phoenix to do that for them. Since then, we've picked up handling their computers as they still have problems here and there (yeah...pretty much helpdesk support. "Hello IT, have you tried turning it off and on again"). We also provide them the MAV and RMM. They got audited back in Decemeber, and the only thing they were told needed to be done was make sure that the XP systems are upgraded from XP. Again, this client of mine does not actually store any ePHI on their systems, to include the server.

 

[YeOldeStonecat]

So the key is no patient information can be stored locally?

Yes...IMO....no PHI stored locally ...sort of gives them a little bit of a "pass" on the XP systems.

Agree with what Frederick added above...try to pitch a UTM at the edge, pitch monitored AV...and get them to agree to some replacement cycle and document it. XXX amount of systems replaced every 6 months or so.

 

[SAG]

...and get them to agree to some replacement cycle and document it. XXX amount of systems replaced every 6 months or so.

Good business sense in this message.
While there is no 100% definitive answer on the XP thing, and running their ePHI information on a remote computer via RDP might be acceptable now, no one knows what is coming down the pipe. So for them it's be a good idea to start with the phasing out process now instead of getting hit with one big bill for it by waiting until they are behind the gun.

 

[YeOldeStonecat]

Good business sense in this message.
While there is no 100% definitive answer on the XP thing, and running their ePHI information on a remote computer via RDP might be acceptable now, no one knows what is coming down the pipe. So for them it's be a good idea to start with the phasing out process now instead of getting hit with one big bill for it by waiting until they are behind the gun.

Yeah it will be a slow...crumbling wall with XP. Things still work now....but as time goes on, things like antivirus upgrades will start to halt...the latest (current) version of whatever AV product they use will no longer install on XP...so they'll start lagging behind with versions. Sure the definitions will likely still update...but protection becomes diminished.

Ever important web player updates like Flash/Java will likely stop installing on XP down the road some time...maybe next year...maybe 2 years from now...

So as time marches forward....XP will become less..and less usable. You'll encounter more "OK this no longer works"....

 

[SAG]

So as time marches forward....XP will become less..and less usable. You'll encounter more "OK this no longer works"....

Already encountered that with a bunch of healthcare websites (REQUIRE IE10) and at least one web based EMR system.

 

[YeOldeStonecat]

Already encountered that with a bunch of healthcare websites (REQUIRE IE10) and at least one web based EMR system.

Yeah....old browser versions will be a driving force that will push sooner than later.
Using alternate browsers (FF or Chrome) will get some people by with some sites. But many sites, such as healthcare EMR, and others...require you to use Internet Exploader due to active X controls or .NET Frame based hosted apps. They won't work with alternate browsers.

 

[SAG]

Yeah....old browser versions will be a driving force that will push sooner than later.
Using alternate browsers (FF or Chrome) will get some people by with some sites. But many sites, such as healthcare EMR, and others...require you to use Internet Exploader due to active X controls or .NET Frame based hosted apps. They won't work with alternate browsers.

We could spend all day talking about this I suppose.
Or move straight to the wacky-ness that we encounter.
Got one client that accesses several healthcare sites that generate PDF files. One of them will not work with any adobe reader later than 10, but another requires the_latest version (actually performs a check and fails if not the_latest).
Yeah.... good times.

 

[YeOldeStonecat]

We could spend all day talking about this I suppose.
Or move straight to the wacky-ness that we encounter.
Got one client that accesses several healthcare sites that generate PDF files. One of them will not work with any adobe reader later than 10, but another requires the_latest version (actually performs a check and fails if not the_latest).
Yeah.... good times.

Yeah I have one nursing home client..one of their EMRs ( optimus or sos) is always waaaaay behind the times. They support only old Adobe Reader like 2x versions back, and old version of IE...think 2x versions back.