Healthcare providers, your time is running out to replace Windows XP!
Healthcare providers still relying on Windows XP are at risk of security vulnerabilities even today, and the problem will get worse in April 2014 once Microsoft stops issuing patches for this 12 year old operating system! There simply is no reason to still be using Windows XP, and it may lead to compliance issues and exposure to huge liability for providers.
Windows XP is literally “ancient” technology (by technology standards), created for a completely different “time” in our technology landscape. It was released in 2001 then replaced in 2007 (nearly 7 years ago.) It has had a long and, some would argue, a good run, but it is now seriously outdated. Three completely new versions of Windows have been released following Windows XP.
Windows XP actually has been outdated for years and Microsoft dropping support for this old technology is not surprising at all. What is more surprising is that it was supported this long and that there are any users at all still depending on this operating system, which has left them exposed time and time again! Not to mention, these users have an extremely limited (and underwhelming) view of the Internet because a lot of modern software will also not run under Windows XP, and few (if any) serious commercial software companies release software optimized for Windows XP.
If you can hack it, they will come!
Will hackers come out in droves to exploit XP? Absolutely! They already do! Windows XP has had literally hundreds (thousands) of patches in its lifetime. Because it is no longer in development (and has not been in years), Microsoft does not actively look for Windows XP vulnerabilities (why would they?) Instead, they simply fix what others identify. This means that every time there is a Windows XP patch, it is very likely that the patch was driven by a LIVE EXPLOIT that someone other than Microsoft identified. Sometimes, exploits are identified by security companies or white-hat hackers and ethically disclosed to Microsoft before they cause harm. More often with an old technology, however, exploits are being identified when attacks are successful. This means someone (a real person) was affected by an exploit (read as identity theft, data breach, money fraud, malware, loss of data, etc.)
Besides the security implications, there are serious cost implications also. In an IDC study (commissioned by Microsoft in May 2012), IDC found that: supporting older Windows XP installations, compared with a modern Windows 7–based solution, saddles organizations with a dramatically higher cost. Annual cost per PC per year for Windows XP is $870, while a comparable Windows 7 installation costs $168 per PC per year. That is an incremental $701 per PC per year for IT and end-user labor costs. (http://www.microsoft.com/en-us/download/confirmation.aspx?id=29883)
Should providers migrate away from Windows XP prior to April 2014?
Windows XP was released in late 2001, making it over 12 years old! Microsoft stopped selling Windows XP in 2008 (nearly 6 years ago) mostly with minor exceptions. Windows XP was replaced by a more modern operating system in 2007 (nearly 7 years ago) and since then, we've actually had three new operating systems (with the latest being Windows 8, recently released.)
In technology, 12 years is a lifetime! The world of tech was vastly different 12 years ago! To put it in context, when Windows XP first came out, most users had dial-up to access the Internet, and broadband internet was a dream technology. There were no smartphones (instead we had PDAs that did not have internet access) and cellphones actually were for making calls! Even text messages (now so ubiquitous) was not generally available for most cellphone users.
Though Windows Vista was not well received, Windows 7 has been very successful in its adoption and has brought many security and usability improvements to computers.
A migration to Windows 7, even if it necessitates a hardware upgrade (and it does not always require new hardware), is a prudent (and urgent) course of action for anyone running Windows XP!
Additionally, though we have not ourselves analyzed the compliance implications in healthcare as it relates to both Meaningful Use, HIPAA and other healthcare regulations, it is very likely that Windows XP (once it is no longer supported by Microsoft in April 2014) might be the cause for failing compliance for many healthcare providers.
What about compliance with Healthcare regulations?
Using Windows XP most definitely will cause non-compliance for those that must meet certain regulations. This is not a matter for debate, but rather a simple read of the applicable Healthcare regulations.
For instance, the Meaningful Use Stage I Core Measure 14 of 14 states as it's measure (underline added for emphasis): [Eligible Professionals must] Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Since Windows XP is not open source, no one but Microsoft has access to the code. Once Microsoft stops issuing patches to Windows XP, it will not be possible for anyone to legally “implement security updates“ nor to “correct identified security deficiencies”. Simply put, Windows XP will not meet Core Measure 14 of MU Stage I and therefore, any provider using it will have compliance issues.
Interestingly, Microsoft Office 2003 and Windows Server 2003 (also both used extensively in medical practices) also will arrive at their “End of Life” support soon! Practices should take the opportunity when they upgrade Windows XP to also upgrade Microsoft Office at the very least. They should also strongly consider upgrading Windows Server 2003, if not at the same time, very very soon.
Upgrade away from Windows XP, today please! You "think" you're saving money, but you are not. Windows XP could cost you your practice, maybe more.
- o -
Receive new blog posts via email. Simply enter your email below. (Note, your email will only be used to send you new blog posts.)