As of April 8th, 2014, Microsoft will officially be ending support for Windows XP.
Many hospitals and physicians are still running Windows XP, generally because they have legacy software systems or lab equipment that depends on Windows XP. In many cases, the main components or software supplier ended support for the product or has gone out of business.
Since Windows XP was released in 2001, Microsoft has been issuing new security patches to fix weaknesses that hackers could use to attack XP computers. However, as of April 8th, 2014, Microsoft is ending it’s support for Windows XP. There will be no way—paid or unpaid—to fix new security issues found and exploited after April 8.
The end of support for XP is a big deal to healthcare organizations because the end of Windows XP means the end of HIPAA compliance. As of April 8, any health organizations still running Windows XP will be noncompliant with HIPAA and with HITECH.
According to HIPAA Security Rule section 164.308(a)(5)(ii)(B), organizations with sensitive personal health information must ensure:
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.—HIPAA
Section 1173(d) of the Act provides that covered entities that maintain or transmit health information are required to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. These safeguards must also otherwise ensure compliance with the statute by the officers and employees of the covered entities.—HHS.gov
Virtually any organization that continues to include Windows XP with their network—even in the event it’s just one single machine—is with on very shaky legal ground upon April 8. In the event of some sort of infringement, it will be very hard for legal counsel to argue that hospital administrators took “reasonable and appropriate” steps to protect exclusive health details when the system was assaulted by means of the unpatched, unsupported 12-year-old operating-system.
Lenovo strongly urges any organizations that still have XP machines to upgrade immediately:
The most substantial liability issue involves the impact that Windows XP may exert with respect to putting an organization into a somewhat indefensible legal position. For example, the Data Protection Act in the United Kingdom requires that organizations use up-to-date software to protect critical or private personal and business information. According to the General Services Administration (GSA ), 46 U.S. states have dataprivacy laws with widely varying non-compliance penalties, each requiring the exercising of due diligence in the protection of private information. It goes without saying that any breach traced to a Windows XP system would likely be a violation of these statutes. Given the publicity and common knowledge around the Windows XP EOL date and its potential impacts, using Windows XP may at the very leastcast doubt that an organization was being “duly diligent”.—Lenovo
Roughly 1/3 of the world’s millions of PCs are still running the 12-year-old Windows XP. That’s 500 million computers, and more than a billion users.
So, what can be done?
1. Figure out the scope of the problem
First, it’s completely important to complete a large end-to-end IT protection audit of your complete infrastructure. Almost every appliance. (You should be doing this periodically anyway; it’s part of HIPAA compliance).
2. Identify dependencies
Gather a list of all the software in addition to research gear you have that requires Windows XP to run. For each and every item that is on the list, you will have to come up with the a action plan.
3. Upgrade each machine.
For machines without software dependencies, it’s a relatively simple matter to upgrade. You can upgrade to Windows 7 or Windows 8.
Another choice is what’s called “virtualization. ” Generally, you start off with a machine running a modern operating system—for example Ubuntu 13. 10. Then, you can essentially set up multiple “virtual” machines running on the same hardware.
Are you ready for the Windows XP end-of-life on April 8? Let us know in the comments!