Microsoft

Running Windows XP means you are non-compliant and open to liability

On April 8, 2014, Microsoft will not release any security patches for Windows XP, which will effectively make it non-compliant with HIPAA / HITECH.

By Jeffrey Brady

hippa_logo_compliance_8-21-2013.jpg
Information Technology Pros in the healthcare industry may want to get a head start on their spring cleaning. Microsoft extended support for Windows XP ends on April 8, 2014. After this date, Microsoft will not release any security patches or updates for Windows XP. This will effectively make Windows XP non-compliant with HIPAA / HITECH after Microsoft support ends.

Goodbye XP

Windows XP was released August 24, 2001 and has been widely deployed in homes and corporate environments alike. In the Healthcare arena, XP may be found on workstations used by clinical staff, CT machines, and other critical medical devices.

Most of these devices are connected to the network to connect to EHR/EMR systems, so simply disconnecting them is not an option. In addition, many of these devices are running old and proprietary applications that may not run on a newer operating system such as Windows 7 or 8.

What can an IT pro do when faced with this dilemma? In an ideal world your systems would already be off XP or you would be well into a migration effort. However, some of us have inherited this problem and must find a solution that not only addresses this problem, but also does so in a cost effective manner. Ideally, you will even have the opportunity to make technical improvements in your infrastructure, enhance security and manageability of your systems, and provide your clinical staff with a more efficient computing environment.

Evaluate your current situation

Getting your vendors involved is very important at this stage. You will want to find out about how to move to newer versions of their software which are compatible with Windows 7 or beyond. If you have current maintenance you may just need to download their newest software and apply your testing process. If you are not in maintenance, you may face pricey upgrades to move to their new platform.

Another option may be to run the application on a terminal server and have your clients access the application via a remote desktop connection.

windows_xp_logo.jpg
Lastly you will also want to do an assessment on your medical devices to see which of these systems may be impacted by the Windows XP "sunset".

Your next steps are to evaluate your current workstations. Do they have the resources to run a newer version of Windows? If so you can exercise your volume licensing upgrade options, or purchase the proper licensing to upgrade your environment. A more likely scenario would be that you have old workstations that are overdue for replacement anyway, in which case, upgrading would not be practical.

You can look at simply replacing your desktops with new shiny boxes and work on your migration plan for applications and user data. Another option you may strongly consider is implementing a VDI (virtual desktop infrastructure).

Virtualization

Virtualization has been hugely successful in the server arena. This technology uses a hypervisor on top of the hardware that allows multiple copies of an operating system to share the resources of the hardware. In most applications, there is no penalty for running multiple servers on the same hardware if your environment is planned correctly.

One can do the same using VDI. You can run fifty maybe even one hundred desktops on one physical server. These desktops would share the fast CPU, memory, and storage of the physical server to give the end user a high performance-computing environment. You can repurpose your existing desktops to connect to your VDI setup, or you can deploy thin-clients to your endpoints.

VDI also will provide your staff with centralized management and control of your desktops. This will help your lean staff manage and maintain your environment effectively.

Bottom line

Now is the time to take action. Start working on your strategy for moving your computers and medical devices off Windows XP. Size up your vendor support for upgrading to a newer OS, get an inventory of your impacted devices, and evaluate how you will update your endpoints. Moving to a newer operating system will help you provide a more secure environment in your facility and ensure compliance with HIPAA / HITECH.


Jeffrey Brady is currently the Director of Information Technology for a 60 bed privately-owned hospital. Previously he was the IT Director for a regional recycling company. He started his IT career at the help desk level in 1998 and has moved up to working in network operations centers. He has been a Linux and Windows systems administrator and has done some independent consulting.

87 comments
HIPAA_guy
HIPAA_guy

Prudent covered health care providers should have dropped XP by now.  Those who haven't done so by now are either under-resourced or not paying attention. 

janitorman
janitorman

So, how about a device, for those XP computers that even NEED to be online, that has a hardware firewall and antivirus, closing all security gaps in the OS by simply not allowing the OS to directly access the internet, only locally connected devices such as the X-ray scanner or a printer?

For those applications that don't need it to be connected, cut the ties. Use the OS with a specific device and don't use it on the internet, use a separate computer for that.

It's a similar idea to make your analog TV work on digital broadcasting when the analog stations all shut down. These were typically $40 with a coupon discounting them for those who signed up. I'm sure Microsoft could afford that, in lieu of having someone purchase a new Windows 8 computer that doesn't work (right out of the box without having to load a virtual machine, use compatibility mode, etc.) with these devices. True, it would cut into their hardware partners profit, as well as their own, but would eliminate the problem entirely.

Rene-Diependaele
Rene-Diependaele

I run a linux system from 2003 on hardware of 1998 (with SCSI disks).  I use it with OpenOffice1, FireFox, Evolution mail, XMMS.  Never, never updated it in more then 10 years.  Ik still keeps working.  I use it mainly as my streaming radio.  If you don't need the latest software version, then never upgrade.  Your system always will work on the speed of the you started it.  I also use WinXP...  Slow slow slow... because of the patches en updates.  And I use also Win7.  Same problem...  Windows was, is and stays bullshit.  I am an ICT professional using, Windows and linux.  Professionally I have to use Windows.  But only linux is the right way to go.

Tony Porras
Tony Porras

This won't affect the end user who typically surfs, and streams music and videos. Yes, I realize that some users will also use it for medical work, at least those who haven't migrated, but that's another story. Comments on my comment?

chrisbedford
chrisbedford

Seriously?

This is what Tech Republic is running as editorial "content" now?

1. Old news. *Seriously* old news; I think it was announced (for about the 4th time, but probably "for real") in April of *this* year

2. TL; DR, because see (1)

3. Microsoft *ALWAYS* extends EOL deadlines.

rmckay3688
rmckay3688

yea right  

   how many corporations  computers are still using IE 6 ????

l_creech
l_creech

This doesn't apply just to healthcare industry, it also applies to the financial industries and several other regulated industries. I wonder how many ATM's are still running Windows XP? 

I know many realtors personally that are still running XP because they didn't like Vista or 7, so I can't begin to imagine how they feel about 8. None of these are difficult to learn to use, I prefer 7 over 8 personally, though I'm using 8 on a system everyday to be able to effectively support it for my client base.

wsimbota
wsimbota

Its high time we forget about Win XP

mbaker2311
mbaker2311

Absolute hogwash.  Try actually reading the regulations.

Stratocaster
Stratocaster

The headline is unnecessarily alarmist and is no doubt designed to increase the click-through rate.  The notion that "you are non-compliant" is not true until next April.  After that time you will be noncompliant (for HIPAA/HITECH) except in the unlikely event that Microsoft changes its XP policy.  Right now no matter what platform is involved, you are liable if a negligent act (e.g., default password) results in a PHI breach.

TRgscratch
TRgscratch

Many of the posts seem to support XP as being good.  I think the point of the article was, if you are running an unsupported operating system you may be open to liability claims based on nothing more than that

alex.a
alex.a

This XP scare is just so much hot air. Systems which are structured for specific purposes, which stay off questionable sites in the Web, and which use a centralized email server which scans emails are quite secure.

The concept of PC level security is fine for home PCs, but enterprise security is what is needed for the type of systems mentioned above. Depending on the environment, crippling things such as USB ports goes a long way towards avoiding problems.

In addition, hackers will loose interest in XP relatively rapidly as the numbers do down. I have systems from DOS 3.0 through OS/2 and all versions of Windows. With a simple server set-up and a firewall, no penetrations, ever - and this is my home setup (although mind you I do support multiple customers, this is why the proliferation of systems). Of interest, almost all versions of almost all OS run somewhere, in embedded and special purpose systems.

I have a number of applications which run on Windows 95. They simply do not exists in newer systems and there are no migration utilities to new applications which provide similar functions. The data in took literally thousands of hours to enter, so re-entering is not a solution. No problem, I have an older laptop which runs 95 very nicely and can continue to use these applications.

Bottom line, XP is here to stay. There is simply too large an investment of XP specific applications and newer Windows OS are more and more geared to individual users and consumers. Commercial users will continue to use XP for decades to come. 

In the mainframe environment, there are many applications, especially in the financial area, which were written in the 1970's and  1980's which are still in production today. They run on OS which most people have never heard of, but they are stable, productive, and do what is needed, so why change? Ditto for XP, the last truly commercial PC OS!!

jdm12
jdm12

Yet another step towards higher healthcare costs, the number one cause of personal bankruptcy in the U.S.

berniesa
berniesa

Is Microsoft a protection and extortion racket? May they be accessories to malware creation as a form of knee-capping? This should  be the subject of an investigation. You use the worf "non-compliant" suggesting that everyone owes allegiance to MS and much march to their tune.

mjc5
mjc5

This is proof that all movement is not forward. Perhaps Hippa will be the shot in the arm that Windows 8 needs.

I wonder how many people will get infections from screen touch gestures leaving germs on screens?

dezrat1242
dezrat1242

I would like to suggest a change in the copyright laws. I would like the law to say that when a company no longer supports security updates to an OS, the OS must be made public property and anyone can issue updates and upgrades for that OS and they may charge whatever fee they like.

linux-user
linux-user

Image, backup the image & reload the image as needed.  

Back up data to a redundant device.  

JeffreyWBrady
JeffreyWBrady

I see comments about people sticking with XP even beyond the sunset. This article was focused on the Healthcare arena (in the US) not home users. That being said, while you may not face the compliance issues of staying on XP beyond the sunset, you do face the same security implications when Microsoft stops releasing security patches for Windows XP. Microsoft has extended XP support longer than any other operating system, I just don't see them doing it again. They need to increase Windows 8 adoption and extending XP any longer would be counter to that strategy.

ppg
ppg

test comment

Squid Burns
Squid Burns

Of course we still use it. Works just fine for the legacy apps and machines not worth upgrading operating systems. Microsoft needs to take one for the team and support it until 2020

ramiss
ramiss

Interesting how the article states that running an XP virtual machine is a viable, compliant solution. Virtual machines are computers too, and unless you are going to disable the NICs (which isn't likely or you would have just done it on the host machine) then the virtual machine, and your medical database, is still at risk! You could probably be sued for giving advice like that.

Tim Lider
Tim Lider

@Alberto - Microsoft has all ready supported Windows XP for over 11 years. So, if you were a software company would you support 11 year software you are not even selling anymore? No, you would not, it would be a loss to your company. As for most stable version of Windows, I would pick Windows 7 or even Windows 8. Windows XP BSOD's a lot more than Windows 7 or Windows 8.

zca
zca

What's with the headline?? Are you non-compliant now or will you be non-compliant after April 8, 2014?

audetwld
audetwld

The bottom line is that there are a lot of very expensive devices and software packages that will not run on the newer operating systems and changing these expensive devices and software packages just to please the IT crowd is nothing short of sheer lunacy!

I personally know these examples:

 1-  A bone specialist that I know has a very good bone scanning machine bought in 1999 for $100,000.   The machine will only run on Windows 9x (direct hardware access) and the manufacturer of the machine did not rewrite the software and firmware to have it work on NT operating systems when XP was released.  About 10 years ago the doctor asked for my advice when he replaced his office computers, replacing the scanner at a cost of $100, 000 was out of the question and he was worried of what would happen down the road when a stand alone W9x machine would no longer be available to replace the one attached to the bone scanner should it fail.  I told him to keep his eyes open and get a hold of inexpensive off lease machines which regularly came available  from the major suppliers like IBM and HP, he bought about 10 of these older circa 2000 machines and has them all preloaded and tested with W9x and his scanner, there is no way he will replace the bone scanner because some bonehead IT guy tells him about security compliance!

2- A small manufacturer that I know has $75,000 invested in specialized CAD/CAM software and a few million dollars invested in equipment that runs off the software package, all of this is running on Windows XP and it will not run on the newer Windows versions, what do you think this guy should do?  Throw all of that investment out the door and spend millions because some IT guys are blabbering about compliance?

Maybe IT guys should think twice or be made to pay $50,000 out of their own pockets before they start yapping about old unsupported operating systems.  The world doesn't only revolve around IT!  To those with special or very expensive hardware and software Chicken Little "The sky is falling!" alarms are nothing but self serving BS from the IT crowd.  We've all heard these warnings from the IT crowd, anyone remember the frenzied dire W2K doomsday warnings?

 And yes, I do work in IT!  I've seen and heard all of this before.  I do recommend and tell people that they should replace these older legacy operating systems but I don't think that the whole X-ray / Imaging ward of the local hospital should be ripped out and tossed out to the scrap heap because the equipment there doesn't run on Windows 8.  And in these difficult times I don't think that a small manufacturer should spend hard earned money on useless upgrades because "Windows XP is no longer supported"!

Alberto Brunoni
Alberto Brunoni

"If Microsoft had any brains at all and a viable future to keep their market share they have now, they would continue to support XP and create a revenue stream out of improving it, keeping the platform and providing service packs. There is no future for Microsoft trying to reinvent the wheel every year or so with more glitzy and stupid operating systems that suck up the computer resources with useless razzle dazzle embelishments. They must continue the XP platform to maintain their market share and continue to support it. How they haven't figured this one out yet, just speaks loudly about how out of touch they are with the whole market they created at one point." (Tomi01)

Paul Williamson
Paul Williamson

Some people will be forced to stay with Windows XP as they may have specific hardware that only runs as required on Windows XP.

Tony Bunce
Tony Bunce

I've got perfectly good laptops that run XP well. Give me some money to upgrade them and I'll be happy.

Jamal Alhaque
Jamal Alhaque

one of the best and stablest so far by Microsoft ..

Alan21
Alan21

Watch a programme about hackers and the development of Quark computers, it seems all today's computers will be vulnerable.

Gisabun
Gisabun

Zzzzzzzzz. So exactly how many years will your Linux OS will be supported? 2? 3?

Gisabun
Gisabun

Don't expect another extension to Win XP. It has been extended once and that's enough.

Gisabun
Gisabun

Errrr. this has what  to do with Windows XP?

JeffreyWBrady
JeffreyWBrady

@jdm12  I look at this quite differently. I would hope and expect Healthcare providers would have high security to protect our personal information. I see this as another step to secure our private medical records and protect Americans from Identity theft which also has wrecked the finances of many families. 

Gisabun
Gisabun

What? You are complaining that Microsoft will keep alive an antiquated OS for 14 years and you want it longer?

Name one OS out there that even last 10 years of support? Nothing from Linux, Android, OS X, ...

What kind of extortion? Do you know what extortion means?

AnonyJew
AnonyJew

@berniesa Your typo of word in Worf makes your comment all the better.  Non-compliance in the Klingon culture is a death sentence unless you are working for the Federation.

jdm12
jdm12

@dezrat1242 Interesting idea. But also an opportunity to install some awful malware.

AnonyJew
AnonyJew

@JeffreyWBrady What are you thoughts on institutions of higher learning (community and state colleges mainly) that are sticking with XP and other legacy OS?  I work at an institution that use and antiquated UNIX system for student record and grade storage and 90% of the faculty workstations are running XP with the servers in a Server 2008 framework.  FERPA is just as important in the education system as HIPAA is in the health care system.

Gisabun
Gisabun

Seems people at TR know less than sh?t. The day after the patches come out in April, companies who are required to have supported OSs from the various regulations will be non-compliant.

mjc5
mjc5

@audetwld  That's what I had to do when I was mandated to run Vista on a network I administer. It was amusing and  terrifying to tell them that their recently installed peripherals didn't have Vista Drivers. Of course, that was my fault. Bosses don't make mistakes.

JeffreyWBrady
JeffreyWBrady

@audetwld 

I think it might be possible to get away with having XP on a device that isn't networked. At least it would be one of my lesser concerns. However, most of the medical devices we use are connected to the network wireless or physical. Our plan is to address workstations first, then medical devices connected to the network, anything beyond that we will have to make a call on. 

Nitramd
Nitramd

Watched that too, the Quantum Computers innate ability to perform a massive number of simaltaneous computations could, amongst many things, break the sub prime keys that are fundimental to secure the internet.So just a bit more serious than hacking PC's.

bobc4012
bobc4012

@JeffreyWBrady @jdm12 

Then they should dump Windows and migrate to more secure systems! I recall reading an article a while back that the majority of security breaches dealing with credit cards, etc. are occurring on Windows based installations. 

ramiss
ramiss

The trick to security with any computer system is to realize that it is an arms race against those that want your data or resources. Any institution that wants to minimize the risk must consider constantly upgrading.  Computers aren't a "set it and forget it" system. I understand that education doesn't have the money, but can you afford NOT to stay secure?  Think of it another way - 14 years of free security updates for the one time price of XP is a bargain!  Just do me a favor - Make sure that whoever pitches the upgrade to the finance committee explains to them the full reality this time. That way you aren't in this boat in another 8 years.

audetwld
audetwld

@JeffreyWBrady @audetwld I understand your concerns and your need to comply with the regulations that apply to your sector.  If you must remove expensive, perfectly good equipment to comply with regulations I would only suggest and hope that instead of scrapping the old equipment that perhaps with the help of an aid organization you try to arrange to have it go to needy hospitals to our neighbors in Central or South America... or to another needy poor country somewhere else.

Nitramd
Nitramd

Oops! Not Sub prime, ment Semi-Prime numbers.

Editor's Picks