Running Windows XP means you are non-compliant and open to liability

On April 8, 2014, Microsoft will not release any security patches for Windows XP, which will effectively make it non-compliant with HIPAA / HITECH.

By Jeffrey Brady

Information Technology Pros in the healthcare industry may want to get a head start on their spring cleaning. Microsoft extended support for Windows XP ends on April 8, 2014. After this date, Microsoft will not release any security patches or updates for Windows XP. This will effectively make Windows XP non-compliant with HIPAA / HITECH after Microsoft support ends.

Goodbye XP

Windows XP was released August 24, 2001 and has been widely deployed in homes and corporate environments alike. In the Healthcare arena, XP may be found on workstations used by clinical staff, CT machines, and other critical medical devices.

Most of these devices are connected to the network to connect to EHR/EMR systems, so simply disconnecting them is not an option. In addition, many of these devices are running old and proprietary applications that may not run on a newer operating system such as Windows 7 or 8.

What can an IT pro do when faced with this dilemma? In an ideal world your systems would already be off XP or you would be well into a migration effort. However, some of us have inherited this problem and must find a solution that not only addresses this problem, but also does so in a cost effective manner. Ideally, you will even have the opportunity to make technical improvements in your infrastructure, enhance security and manageability of your systems, and provide your clinical staff with a more efficient computing environment.

Evaluate your current situation

Getting your vendors involved is very important at this stage. You will want to find out about how to move to newer versions of their software which are compatible with Windows 7 or beyond. If you have current maintenance you may just need to download their newest software and apply your testing process. If you are not in maintenance, you may face pricey upgrades to move to their new platform.

Another option may be to run the application on a terminal server and have your clients access the application via a remote desktop connection.

Lastly you will also want to do an assessment on your medical devices to see which of these systems may be impacted by the Windows XP "sunset".

Your next steps are to evaluate your current workstations. Do they have the resources to run a newer version of Windows? If so you can exercise your volume licensing upgrade options, or purchase the proper licensing to upgrade your environment. A more likely scenario would be that you have old workstations that are overdue for replacement anyway, in which case, upgrading would not be practical.

You can look at simply replacing your desktops with new shiny boxes and work on your migration plan for applications and user data. Another option you may strongly consider is implementing a VDI (virtual desktop infrastructure).


Virtualization has been hugely successful in the server arena. This technology uses a hypervisor on top of the hardware that allows multiple copies of an operating system to share the resources of the hardware. In most applications, there is no penalty for running multiple servers on the same hardware if your environment is planned correctly.

One can do the same using VDI. You can run fifty maybe even one hundred desktops on one physical server. These desktops would share the fast CPU, memory, and storage of the physical server to give the end user a high performance-computing environment. You can repurpose your existing desktops to connect to your VDI setup, or you can deploy thin-clients to your endpoints.

VDI also will provide your staff with centralized management and control of your desktops. This will help your lean staff manage and maintain your environment effectively.

Bottom line

Now is the time to take action. Start working on your strategy for moving your computers and medical devices off Windows XP. Size up your vendor support for upgrading to a newer OS, get an inventory of your impacted devices, and evaluate how you will update your endpoints. Moving to a newer operating system will help you provide a more secure environment in your facility and ensure compliance with HIPAA / HITECH.

Jeffrey Brady is currently the Director of Information Technology for a 60 bed privately-owned hospital. Previously he was the IT Director for a regional recycling company. He started his IT career at the help desk level in 1998 and has moved up to working in network operations centers. He has been a Linux and Windows systems administrator and has done some independent consulting.

Editor's Picks