Page 1 of 1

XP and HIPAA and Virtual Machines?

Posted: Sun May 18, 2014 5:13 pm
by Justin Shafer
Lets say an office has an expensive medical device. Lets say it only works on XP. Lets say it has ethernet or usb.

Could we use a Virtual Machine running XP on a Host machine running say Windows 7?

Setup the Virtual Machine to not have internet access?
Setup the Virtual Machine and the medical device for NAT on a Virtual Lan?
Make the virtual disk image for the virtual machine overwritten with a good known disk image daily?

Could we arguably then use XP, and not throw away the medical device??

In this way it is no longer being used as on OS, but as an application????

Maybe???

http://www.hhs.gov/ocr/privacy/hipaa/fa ... /2014.html

Worth debating... I want a SOLID no, with a link.

Seems... bad...... that people would have to do this..... Throw perfectly good equipment away. Or sell it to mexico... :x

Re: XP and HIPAA and Virtual Machines?

Posted: Mon May 19, 2014 10:39 am
by bpcomp
This might be left field but it might be worth a shot to try Wine under Linux for the XP only application. You then gain the security of an actively updated OS. You could still run it as a virtual machine with a private virtual Lan.

Re: XP and HIPAA and Virtual Machines?

Posted: Mon May 19, 2014 11:00 am
by Justin Shafer
Yeah.. good idea.. I had considered that.. problem is wine does not fare well with usb.... It doesn't support it.. or something. Perhaps ethernet over usb....Then there is application issues that can follow...

Re: XP and HIPAA and Virtual Machines?

Posted: Mon May 19, 2014 1:38 pm
by Justin Shafer
http://wiki.winehq.org/USB

Hmm.. maybe we will need to compile after-all... Hmmm

Re: XP and HIPAA and Virtual Machines?

Posted: Mon May 19, 2014 3:25 pm
by tgriswold
I'm not sure the exact situation you're in, but have you tried using a newer version of windows but running the application, or its installer in compatibility mode for XP or older? It only occasionally works for me, but its worth a shot.

Re: XP and HIPAA and Virtual Machines?

Posted: Tue May 20, 2014 3:15 pm
by JLM
If the device interfaces with ethernet or usb, it should work from a xp guest VM. I have considered doing this with my old schick sensors that don't have 64bit drivers. If it is like Vixwin scsi, then no, it cannot be done. VM's cant/dont use scsi hardware. It can easily be configured to ignore the internet and revert to a snapshot on reboot. (Using workstation not player for vmware).

Jim Margarit

Re: XP and HIPAA and Virtual Machines?

Posted: Thu May 22, 2014 7:23 am
by Justin Shafer
Yup. I was happy to get a SCSI Denoptix running with Windows 7 and zero virtual machines with Dexis 10, but I think the USB version (single speed) would need.. A virtual machine, as the driver does not seem to work in Windows 7, period. Nor vista, if I recall. So we would need to use XP in a virtual machine for hipaa? But I don't think HIPAA allows it.

Anyone know? Even if we kinda went nuts creating an environment around any possible XP exploits? Would it pass muster? Legally...

Re: XP and HIPAA and Virtual Machines?

Posted: Thu May 22, 2014 9:10 am
by KevinRossen
Justin Shafer wrote:Yup. I was happy to get a SCSI Denoptix running with Windows 7 and zero virtual machines with Dexis 10, but I think the USB version (single speed) would need.. A virtual machine, as the driver does not seem to work in Windows 7, period. Nor vista, if I recall. So we would need to use XP in a virtual machine for hipaa? But I don't think HIPAA allows it.

Anyone know? Even if we kinda went nuts creating an environment around any possible XP exploits? Would it pass muster? Legally...
Does the medical device's software permanently store and PHI? If not, you wouldn't really need to worry about XP from my understanding of HIPAA. If it's simply an interface that the data originates from and is stored elsewhere on the network I think you're ok.

Re: XP and HIPAA and Virtual Machines?

Posted: Thu May 22, 2014 5:42 pm
by Hersheydmd
I have an i-CAT Classic. The acquisition computer (provided by Imaging Sciences and included in the annual maintenance contract/extended warranty) runs on WinXP.
After much consideration Imaging Sciences decided that they would not be able to upgrade everyone's XP computers to Win 7 or 8. I presume the software might not be compatible and would create too many problems.
Instead the solution they came up with, in coordination with Microsoft, is to update the acquisition computer in such a way that it only runs the specific programs that came with the computer, that are necessary for running the i-CAT. No other executable files will be able to run on the computer. It like a reverse anti-virus. Instead of allowing everything to run, except what the anti-virus prohibits, this will allow nothing to run, except the programs that are specifically allowed. I think it is an ingenuous solution.
Of course it means that any programs that I added to the computer like MS Office, or Dexis can no longer be used. I can live with that.

Re: XP and HIPAA and Virtual Machines?

Posted: Fri May 23, 2014 7:48 am
by teethdood
Robert,

Viruses do not need permission/you clicking on anything for them to run. They can port scan the XP computer and infect it that way. Or they can infect other computers on the network then spread to your XP machine. The way iCat handled it will mitigate a lot of virus vectors, but it will not get them all. It's like a patient using a flipper as a permanent partial. Sure it works ok, but it's loose, food traps, etc. You get the point.

Re: XP and HIPAA and Virtual Machines?

Posted: Tue May 27, 2014 8:59 am
by JLM
Justin Shafer wrote:Yup. I was happy to get a SCSI Denoptix running with Windows 7 and zero virtual machines with Dexis 10, but I think the USB version (single speed) would need.. A virtual machine, as the driver does not seem to work in Windows 7, period. Nor vista, if I recall. So we would need to use XP in a virtual machine for hipaa? But I don't think HIPAA allows it.

Anyone know? Even if we kinda went nuts creating an environment around any possible XP exploits? Would it pass muster? Legally...
You can configure the guest vm to only network with the host machine. If the host does not have ICS (internet connection sharing) turned on then the guest has no access to the internet. Also, my understanding is that if the guest vm has dhcp turned off, a fixed ip, no gateway information, no dns information, then there is no access to the internet and it is "safe". I would be some firewall changes could reinforce that.

With host only networking, you could use the xp vm for acquisition, and store the data on the 'safe' computer host.

Jim Margarit