XP and HIPAA and Virtual Machines?

[Justin Shafer]

Lets say an office has an expensive medical device. Lets say it only works on XP. Lets say it has ethernet or usb.

Could we use a Virtual Machine running XP on a Host machine running say Windows 7?

Setup the Virtual Machine to not have internet access?
Setup the Virtual Machine and the medical device for NAT on a Virtual Lan?
Make the virtual disk image for the virtual machine overwritten with a good known disk image daily?

Could we arguably then use XP, and not throw away the medical device??

In this way it is no longer being used as on OS, but as an application????

Maybe???

http://www.hhs.gov/ocr/privacy/hipaa/fa ... /2014.html

Worth debating... I want a SOLID no, with a link.

Seems... bad...... that people would have to do this..... Throw perfectly good equipment away. Or sell it to mexico...

[bpcomp]

This might be left field but it might be worth a shot to try Wine under Linux for the XP only application. You then gain the security of an actively updated OS. You could still run it as a virtual machine with a private virtual Lan.

[Justin Shafer]

Yeah.. good idea.. I had considered that.. problem is wine does not fare well with usb.... It doesn't support it.. or something. Perhaps ethernet over usb....Then there is application issues that can follow...

[Justin Shafer]

http://wiki.winehq.org/USB

Hmm.. maybe we will need to compile after-all... Hmmm

[tgriswold]

I'm not sure the exact situation you're in, but have you tried using a newer version of windows but running the application, or its installer in compatibility mode for XP or older? It only occasionally works for me, but its worth a shot.

[JLM]

If the device interfaces with ethernet or usb, it should work from a xp guest VM. I have considered doing this with my old schick sensors that don't have 64bit drivers. If it is like Vixwin scsi, then no, it cannot be done. VM's cant/dont use scsi hardware. It can easily be configured to ignore the internet and revert to a snapshot on reboot. (Using workstation not player for vmware).

Jim Margarit

[Justin Shafer]

Yup. I was happy to get a SCSI Denoptix running with Windows 7 and zero virtual machines with Dexis 10, but I think the USB version (single speed) would need.. A virtual machine, as the driver does not seem to work in Windows 7, period. Nor vista, if I recall. So we would need to use XP in a virtual machine for hipaa? But I don't think HIPAA allows it.

Anyone know? Even if we kinda went nuts creating an environment around any possible XP exploits? Would it pass muster? Legally...

[KevinRossen]

Yup. I was happy to get a SCSI Denoptix running with Windows 7 and zero virtual machines with Dexis 10, but I think the USB version (single speed) would need.. A virtual machine, as the driver does not seem to work in Windows 7, period. Nor vista, if I recall. So we would need to use XP in a virtual machine for hipaa? But I don't think HIPAA allows it.

Anyone know? Even if we kinda went nuts creating an environment around any possible XP exploits? Would it pass muster? Legally...

Does the medical device's software permanently store and PHI? If not, you wouldn't really need to worry about XP from my understanding of HIPAA. If it's simply an interface that the data originates from and is stored elsewhere on the network I think you're ok.

[Hersheydmd]

I have an i-CAT Classic. The acquisition computer (provided by Imaging Sciences and included in the annual maintenance contract/extended warranty) runs on WinXP.
After much consideration Imaging Sciences decided that they would not be able to upgrade everyone's XP computers to Win 7 or 8. I presume the software might not be compatible and would create too many problems.
Instead the solution they came up with, in coordination with Microsoft, is to update the acquisition computer in such a way that it only runs the specific programs that came with the computer, that are necessary for running the i-CAT. No other executable files will be able to run on the computer. It like a reverse anti-virus. Instead of allowing everything to run, except what the anti-virus prohibits, this will allow nothing to run, except the programs that are specifically allowed. I think it is an ingenuous solution.
Of course it means that any programs that I added to the computer like MS Office, or Dexis can no longer be used. I can live with that.

[teethdood]

Robert,

Viruses do not need permission/you clicking on anything for them to run. They can port scan the XP computer and infect it that way. Or they can infect other computers on the network then spread to your XP machine. The way iCat handled it will mitigate a lot of virus vectors, but it will not get them all. It's like a patient using a flipper as a permanent partial. Sure it works ok, but it's loose, food traps, etc. You get the point.

[JLM]

Yup. I was happy to get a SCSI Denoptix running with Windows 7 and zero virtual machines with Dexis 10, but I think the USB version (single speed) would need.. A virtual machine, as the driver does not seem to work in Windows 7, period. Nor vista, if I recall. So we would need to use XP in a virtual machine for hipaa? But I don't think HIPAA allows it.

Anyone know? Even if we kinda went nuts creating an environment around any possible XP exploits? Would it pass muster? Legally...

You can configure the guest vm to only network with the host machine. If the host does not have ICS (internet connection sharing) turned on then the guest has no access to the internet. Also, my understanding is that if the guest vm has dhcp turned off, a fixed ip, no gateway information, no dns information, then there is no access to the internet and it is "safe". I would be some firewall changes could reinforce that.

With host only networking, you could use the xp vm for acquisition, and store the data on the 'safe' computer host.

Jim Margarit

[SofiiaSsss]

While using a Virtual Machine (VM) to run XP on a Windows 7 host machine may seem like a solution to keep using an expensive medical device, it's important to consider HIPAA compliance and security risks. The Health and Human Services website provides guidelines on HIPAA compliance, and using outdated operating systems like XP may pose security vulnerabilities. It's recommended to prioritize patient data security and compliance with regulations. For more insights into medical device integration and compliance, you might find this post helpful: https://www.cleveroad.com/blog/medical- ... tegration/

[Veso45d]

To address XP, HIPAA compliance, and virtual machines in healthcare, it's important to consider how these technologies interact. Windows XP, being outdated, poses significant security risks and is generally non-compliant with HIPAA due to vulnerabilities. Virtual machines can provide a workaround by isolating legacy systems, but ensuring encrypted data transmission and restricted access is crucial for compliance.

For a more holistic approach, focusing on device integration healthcare can bridge gaps between outdated systems and modern, secure infrastructures. This article provides valuable insights: device integration healthcare.