Microsoft will only be supporting Windows XP until April 8, 2014.
Many hospitals and physicians are still running Windows XP, often because they have legacy software systems or lab equipment that depends on Windows XP.
In many cases, the original hardware or software vendor has discontinued support for the product or has gone out of business. So there is no easy way to upgrade existing software systems.
Since Windows XP was released in 2001, Microsoft has been issuing new security patches to fix weaknesses that hackers could use to attack XP computers. However, on April 08, 2014, Microsoft will stop writing patches for Windows XP. There will be no way—paid or unpaid—to fix new security issues found and exploited after April 8.
The end of XP support is a huge issue for healthcare organizations, because the sunset of Windows XP means the end of HIPAA compliance. Starting on April 8, any health organizations still running Windows XP will be noncompliant with HIPAA and with HITECH.
According to HIPAA Security Rule section 164.308(a)(5)(ii)(B), organizations with sensitive personal health information must ensure:
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.—HIPAA
On April 8, when it will be no longer possible to update the operating system software, it will be impossible for health organizations to comply with this HIPAA Security Rule specification.
Section 1173(d) of the Act provides that covered entities that maintain or transmit health information are required to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. These safeguards must also otherwise ensure compliance with the statute by the officers and employees of the covered entities.—HHS.gov
Any organization that continues to have Windows XP machines on its network—even if it’s just one machine—is on very shaky legal ground come April 8. In the event of a breach, it will be very hard for legal counsel to argue that hospital administrators took “reasonable and appropriate” measures to protect private health information if the system was attacked via an unpatched, unsupported 12-year-old operating system.
Lenovo strongly urges any organizations that still have XP machines to upgrade immediately:
The most substantial liability issue involves the impact that Windows XP may exert with respect to putting an organization into a somewhat indefensible legal position. For example, the Data Protection Act in the United Kingdom requires that organizations use up-to-date software to protect critical or private personal and business information. According to the General Services Administration (GSA ), 46 U.S. states have dataprivacy laws with widely varying non-compliance penalties, each requiringthe exercising of due diligence in the protection of private information.It goes without saying that any breach traced to a Windows XP system would likely be a violation of these statutes. Given the publicity and common knowledge around the Windows XP EOL date and its potential impacts, using Windows XP may at the very leastcast doubt that an organization was being “duly diligent”.—Lenovo
Roughly 1/3 of the world’s millions of PCs are still running the 12-year-old Windows XP. That’s 500 million computers, and more than a billion users.
In the healthcare arena, XP can be found on workspaces used by clinical staff, computers connected to critical medical devices, and CT machines (among other uses). In many cases, the software requires XP to run, and is attached to expensive laboratory equipment that cost hundreds of thousands of dollars.
It’s highly likely that computer hackers are sitting on known Windows XP exploits, waiting for April 8 so they can release the viruses and trojans into the wild. (By waiting until April 8, they ensure that their exploit will never be patched.) In just a few days, 500 million computers will be unpatched. And most of those computers will have flash drives and always-on internet connections.
That’s a gigantic target; we’ve never seen anything like it before.
What can be done?
First, figure out the scope of the problem.
First, it’s absolutely critical to perform an end-to-end IT security audit of your entire infrastructure. Every single machine. (You should be doing this periodically anyway; it’s part of HIPAA compliance.)
Put a list together of which machines you have still running Windows XP.
Next, identify dependencies.
Compile a list of all the software and lab equipment you have that requires Windows XP to run. For each item on the list, you will need to come up with an action plan.
Finally, upgrade each machine.
For machines without software dependencies, it’s a relatively simple matter to upgrade. You can upgrade to Windows 7 or Windows 8.
If you do have software or lab equipment dependencies, you still need to upgrade. However, you have several options.
First, check to see if the vendor offers a later version that’s compatible with Windows 7 or Windows 8. If so, you can upgrade the computer and the 3rd party equipment at the same time.
If there is no version compatible with a modern operating system, then check to see if there are competitors who offer a similar product (or better). There have been a number of advances in the past 12 years, and newer products often take advantage of significantly increased computing power, more advanced encryption techniques, cloud storage, and networking.
Are you ready for the Windows XP end-of-life on April 8?