Gazelle Consulting

Computers Running Windows Vista Are No Longer HIPAA Complaint

In a relatively subdued statement, Microsoft announced the final step in the lifecycle of their oldest supported Windows Operating System (OS). As of April 11, 2017, Microsoft has officially ended support for Windows Vista. This move flew under the radar of most security blogs and news outlets due to the general lack of enthusiasm surrounding the operating system since its release in 2006. It currently holds only a rating of 70 on In comparison, the current version of Windows (Windows 10) received a score of 91. Despite it’s age and relative unpopularity, Vista still makes up just over 1% of the total worldwide OS market share, meaning that the discontinuation will affect over 200,000,000 users.


As far as health care privacy is concerned, the end of Microsoft support essentially makes HIPAA compliance on machines running Windows Vista impossible. Section 164.308(a)(5)(ii)(B) of the HIPAA Security Rule states that you must have “procedures for guarding against, detecting, and reporting malicious software.” Without Microsoft’s support, the OS will be susceptible to vulnerabilities that violate this incredibly important security safeguard.


But all of my anti-virus and encryption technology is up to date. Isn’t that enough? 


Here’s the answer right from the horse’s mouth, from an equivalent announcement about Windows XP, on “Without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported.”


Even though the statement above refers to XP, the content is directly applicable to Vista. When Microsoft releases an OS update, it includes patches that fix vulnerabilities in the currently supported Operating Systems. Hackers are known to use the list of patches as a step-by-step guide to exploiting the vulnerabilities of older, unpatched Operating Systems. No matter what encryption or anti-virus you have, they aren’t intended to stop exploitation of vulnerabilities inherent in the OS.


It is unlikely that your organization is running Windows Vista, but if it is, your data may have already been exposed to hackers that target Vista Operating Systems. Although it may seem like a burden, the need to upgrade from Vista is urgent. If you don’t use Windows Vista, don’t get complacent. The widely used Windows 7 is next on the docket for discontinuation in January 2020.


Take Aways:


  • As of April 11, 2017 Windows Vista will no longer be supported and therefore is not HIPAA compliant.

  • Strong Anti-Virus and Encryption will not be enough if you’re running Vista.