On October 14, 2025, Microsoft stopped shipping security updates for Windows 10. For a medical practice, that date matters more than most. The front desk PC that checks in patients, the workstation that opens your EHR, the laptop a provider uses for telehealth: if any of them still run Windows 10, they are now running software the manufacturer no longer patches. So the question many practice managers are asking is a fair one. Is that a HIPAA problem? The short answer is that Windows 10 by itself is not automatically a violation, but leaving it in place without a plan can put you on the wrong side of the HIPAA Security Rule. Windows 10 HIPAA compliance is now a live question, and it is one you want to answer before your next audit, not during it.
What “end of support” actually means
Microsoft ended support for Windows 10 on October 14, 2025. The machines still turn on and still run, but they no longer receive security updates, bug fixes, or technical assistance. Every new vulnerability discovered after that date stays open on a Windows 10 device unless you take a specific step to keep receiving patches.
In healthcare that gap is not academic. Attackers target medical practices because protected health information is valuable, and an unpatched endpoint is one of the easiest doors to walk through. That is why endpoint security sits at the center of any serious defense.
Is running Windows 10 a HIPAA violation?
Not by itself. The Department of Health and Human Services has been explicit that the Security Rule “does not specify minimum requirements for personal computer operating systems.” Practices have flexibility to choose the safeguards that fit their size and workflow.
The catch is in the very next sentence of that same guidance. HHS says any known vulnerabilities of an operating system should be considered in your risk analysis, including “known vulnerabilities for which a security patch is unavailable” because “the operating system is no longer supported by its manufacturer.”
In plain English: once Microsoft stops patching Windows 10, every newly discovered flaw becomes a known risk you are now responsible for identifying and addressing. If your HIPAA risk analysis ignores it, or you document the risk and then do nothing about it, that is where real compliance exposure begins. Federal regulators have already settled enforcement cases that turned, in part, on unpatched and unsupported software.
Your three realistic options
Every Windows 10 device in your practice should land in one of three buckets. The sooner you sort them, the cheaper and calmer the project.
- Upgrade eligible PCs to Windows 11. This is the cleanest fix and it is free when the hardware qualifies. Windows 11 requires a compatible 64-bit processor, 4 GB of RAM, 64 GB of storage, UEFI with Secure Boot, and a TPM 2.0 security chip. Many practice PCs purchased before 2018 will fail the TPM 2.0 check.
- Enroll in commercial Extended Security Updates (ESU). Microsoft sells ESU as a paid bridge for organizations at about $61 per device for the first year, with the price doubling each year, available for a maximum of three years. It buys time to migrate. It is not a long-term home.
- Replace aging hardware. For machines that cannot run Windows 11 and are already several years old, new equipment is often cheaper over two years than stacking rising ESU fees, and it removes the risk entirely. Weigh this against your broader IT budget.
Do not forget the PCs bolted to your equipment
Some practices run Windows 10, or something older, on workstations tied to imaging systems, lab analyzers, or specialty EHR modules that a vendor has not yet certified for Windows 11. Those are exactly the systems to inventory first, because they usually touch ePHI and cannot be casually upgraded. The right move is a documented decision: isolate them on the network, confirm the vendor’s timeline, and record the chosen safeguard in your risk analysis.
A simple action plan
You do not need a massive project to get this right, just a short and deliberate one.
- Inventory every device and note which operating system it runs.
- Sort each one into upgrade, ESU bridge, or replace.
- Update your HIPAA risk analysis to reflect any device still on Windows 10 and the safeguard you have chosen for it.
- Set a hard deadline so the temporary ESU bridge does not quietly become your permanent strategy.
This is straightforward work, but it is easy to let slide when you are busy seeing patients. A managed IT partner that knows healthcare can inventory your fleet, flag the HIPAA exposure, schedule upgrades around your appointment calendar, and keep the documentation an auditor will eventually ask for.
Frequently asked questions
Is Windows 10 illegal to use in a medical office now?
No. It is neither illegal nor an automatic HIPAA violation. The problem is that it no longer receives security patches, so any unaddressed vulnerability becomes a known risk your HIPAA risk analysis must account for and act on.
How long can I keep Windows 10 using Extended Security Updates?
For organizations, commercial ESU is available for up to three years past the October 14, 2025 end of support date, with the per-device price roughly doubling each year. It is designed as a bridge to give you time to migrate, not a destination.
My computer says it cannot run Windows 11. Why?
Windows 11 requires modern security features, most commonly a TPM 2.0 chip and Secure Boot. Computers built before roughly 2018 often lack these, which is why they need either the ESU bridge or replacement.
Does upgrading to Windows 11 make my practice HIPAA compliant?
It removes one specific risk, an unsupported operating system, but compliance is broader. You still need a current risk analysis, access controls, encryption, reliable backups, and workforce training. Our HIPAA compliance services address the full picture.
We use a cloud EHR. Does the operating system still matter?
Yes. Even with a cloud EHR, the local device displays and can temporarily store ePHI, and a compromised endpoint can expose login credentials and patient data. The workstation is still in scope.
Not sure which of your PCs are still on Windows 10?
If you are not certain how many of your computers still run Windows 10, or what that means for your next audit, we can help. Book a free IT and security consultation with Atlantic Computer Systems and we will review your devices, your HIPAA exposure, and the most cost effective path forward. Schedule it here: https://calendly.com/glewis-acs-tech/free-it-security-assessment or call 1-650-300-7557.