Windows XP enterprise end of support website points readers directly to the Health and Human Services (HHS) Security Rule guidance on operating system requirements for the personal computer systems used by a covered entity. The HHS guidance covers a situation such as Windows XP End of Support(EoS) when it states that:
"any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).”
HHS guidance explicitly addresses the security compliance that an operating system provides when it states:
“the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.”
It is clear that an unsupported operating system will need to have significant technical safeguards deployed and configured properly to reduce the risk of exploitation of the unsupported operating system. Application whitelisting programs used to be considered an optional technical security control, but as the nature of networks and applications changed, application whitelisting programs moved past being a “best practice” years ago. It is now considered both a basic and standard security control. When configured properly, these programs can arguably be the strongest component of operating system defense in depth. It can protect against the deliberate or inadvertent exploitation of operating system vulnerabilities, regardless of whether the workstation activity is performed by authorized users, unauthorized users, or malware. Application whitelisting programs have been identified as the first of the five “Quick Wins” in the Top 20 Security Controls – these are the sub-controls that have the most immediate impact on preventing attacks.
These programs offer a range of features that significantly reduces the attack surfaces that threats are actively attempting to exploit. Risk is reduced because there is much less opportunity to deliberately or unintentionally exploit potential weak spots or vulnerabilities. The abilities of application white-listing programs to limit, disable, or restrict access makes it a significant part of defense in depth best practices for all operating systems, including Windows XP as it becomes unsupported.
We'll focus on the feature set of McAfee's Application Control since this is most available to us, but most other feature rich whitelisting applications should contain similar functionality. If you're unsure if all of these items are addressed with the particular program you're evaluating, reach out to the vendor or conduct your own analysis
Application ControlAchieving compliance with the Security Rule while continuing to use Windows XP will involve documenting your risk analysis and using reasonable and appropriate technical safeguards such as application white listing to reduce the likelihood that threats can exploit vulnerabilities.
Human Threats Addressed:
- Abuse of Information System
- Abuse of Privileges
- Abuse of Resources
- Damage to ePHI or Business Information
- Destruction of ePHI or Business Information
- Theft of ePHI or Business Information
- Theft of Financial Assets
- Reckless Insiders
- Untrained Insiders
- Reckless Information Partner
- Untrained Information Partner
- Reckless Line of Business
- Untrained Line of Business
- Disgruntled Insider
- Disgruntled Information Partner
- 3rd Party Threats
- Organized Crime
Application whitelisting programs also directly supports you if you will be the recipient of a HIPAA Audit Protocol assessment pursuant to the HITECH Act audit mandate. It can specifically enforce or support compliance for components in the Audit Protocol assessment of;
- Information Access Management §164.308(a)(4)
- Workstation Use (§164.310(b))
- Access Control requirement “to allow access only to those persons or software programs that have been granted access rights”
- Audit Control (§164.312(b))
For environments where there is a need to comply with the Centers for Medicare & Medicaid Services (CMS) requirements which involve NIST 800-53 standards, Application whitelisting programs support meeting these NIST control family standards;
- Access Control (AC) - This control family includes mechanisms used to designate who or what is to have access to a specific resource and the type of transactions and functions that are permitted.
- Configuration Management (CM) - This control family aims to address the activities that present a risk of integration failure due to component change. This includes change control processes and asset management.
- Maintenance (MA) - This control family addresses the requirement that trusted systems within the environment retain their trustworthiness over time. Key elements include patch management, system builds, and hardening processes
- System and Information Integrity (SI) – The controls in this family are used to protect data from accidental or malicious alteration or destruction and to provide assurance to the user the information meets expectations about its quality and integrity. Additionally, this family covers various aspects of flaw remediation.
CMS has also referenced the Top 20 Critical Security Controls (now maintained by The Council on CyberSecurity). The latest version of the Top 20 (Critical Controls Version 5.0) continues identifying application whitelisting as the first of five “Quick Wins”; these are the sub-controls that have the most immediate impact on preventing attacks.
*Image above was borrowed from here