Is there a legal age limit to computer systems when HIPPA is concerned?
-
@psx_defector said in Is there a legal age limit to computer systems when HIPPA is concerned?:
HIPPA is how you handle your data, not how you handle your hardware. Closest thing would be not patching issues because they are no longer supported.
And does patching something make it "older" or "younger"?
-
@krisleslie said in Is there a legal age limit to computer systems when HIPPA is concerned?:
Well with the Intel fiasco with the cpu's, what's the likely chance they will update a system such as a Gateway profile 5.5?
That has nothing to do with age and everything about an unpatched vulnerability. You can't just start ruling stuff out based on age because there might be a risk with one specific vulnerability from one specific vendor in one specific case that you might loosely associate with age.
-
@scottalanmiller said in Is there a legal age limit to computer systems when HIPPA is concerned?:
@psx_defector said in Is there a legal age limit to computer systems when HIPPA is concerned?:
HIPPA is how you handle your data, not how you handle your hardware. Closest thing would be not patching issues because they are no longer supported.
And does patching something make it "older" or "younger"?
It's like putting in a new engine in a car. Yeah, it's patched against problems, but you are still driving around a 20 year old car.
-
@krisleslie said in Is there a legal age limit to computer systems when HIPPA is concerned?:
For a small non profit I am working with they had half of their existing systems running Windows XP and a hodgepodge of 7 and 8, 8.1.
There is no age issue there. There ARE issues with being past EOL, being out of support, not patching properly, violating even the most basic industry best practices, not following current security standards, and so forth. But that's not related to age.
-
@krisleslie said in Is there a legal age limit to computer systems when HIPPA is concerned?:
Well with the Intel fiasco with the cpu's, what's the likely chance they will update a system such as a Gateway profile 5.5? For a small non profit I am working with they had half of their existing systems running Windows XP and a hodgepodge of 7 and 8, 8.1.
I have installed Windows 10 and will be finishing up their deployment with a few months.
Given that there is a patch for Spectre/Meltdown for the OS side of things, and you can mitigate it via switches in Windows, the hardware is not the problem.
-
@krisleslie said in Is there a legal age limit to computer systems when HIPPA is concerned?:
Well with the Intel fiasco with the cpu's, ...
So since most REALLY old processors aren't affected by that at all, wouldn't that lead us to conclude that "young" processors would violate HIPAA and old do not?
-
@krisleslie said in Is there a legal age limit to computer systems when HIPPA is concerned?:
My thought's would be I believe totally focused on the CPU and the Firmware specifically. Those old clunker 5.5's are past their prime but once cleaned up and a new hard drive and ram put in them they run significantly better now than they did in their day.
Speed is never a factor in HIPAA or security. That something is slow is irrelevant. And stuff 20 years old can still be faster than stuff today.
-
@dustinb3403 said in Is there a legal age limit to computer systems when HIPPA is concerned?:
In cases like this the only reasonable approach would be to discard any hardware that can't be patched to a point that it isn't vulnerable.
Which means that any given hardware would be compliant, then not compliant, then compliant again.
For example, some old Intel CPUs never were affected by Spectre. So the oldest would have always been compliant. Then newer ones would have gone out of compliance because no patch was available. Then become compliant when a patch was made, then gone out of compliance when the patch was found to be bad, then compliant again with the new patch.
-
This kind of thinking gets into really dangerous lines of thought. For example.... are you compliant if there is a vulnerability that is known but not announced? What about if there is a vulnerability that isn't known? What if bad guys know but not the good guys? Who are good and bad guys? You get into a crazy situation of ephemeral compliance.
-
There is not age limit for the computer systems.
-
And I see everyone's point now. Here is a link that brought up some thought for me:
https://www.clearpathit.com/the-risks-of-running-windows-xp-for-healthcare-organizations
It's not the first time I have had bad thought's about this client and their infrastructure but it does make me wonder should we continue to use certain hardware.
Those older systems have been patched as far as they can go for the firmware. The OS is no longer Windows XP, it's Windows 10 and eventually they will have a Windows Server.
I see your point also Scott because I've even considered them just moving over to Chrome OS / Neverware since the systems were tested and worked fine for it. In their use case they don't have much data to store and typically have little to no idea where data resides in some cases. They don't rely heavily on Microsoft other than maybe Word or Excel. Even then, those things can be done on O365.
-
@krisleslie said in Is there a legal age limit to computer systems when HIPPA is concerned?:
And I see everyone's point now. Here is a link that brought up some thought for me:
https://www.clearpathit.com/the-risks-of-running-windows-xp-for-healthcare-organizations
Yeah, XP is both software, not hardware, and what makes it "old" is that it is not the current release of itself and is long out of support.
Think of XP as not patching for 16 years, not as the system itself being "old".
-
@krisleslie said in Is there a legal age limit to computer systems when HIPPA is concerned?:
It's not the first time I have had bad thought's about this client and their infrastructure but it does make me wonder should we continue to use certain hardware.
Old hardware is almost never a problem until performance or capacity or reliability make it so. And reliability is almost never a concern until you look at servers, and even then, pretty rarely. Unless you need support and the support costs make it no longer viable.