- As is the case with most pending vendor support deadlines, the upcoming end of Microsoft Windows XP support on April 8, 2014 has been a polarizing topic in the enterprise and healthcare spaces. There are some organizations that may be unaware that Microsoft will no longer be providing security patches and others that are building Fort Knox 2.0 because of the XP end of support.
However, a few IT security professionals within healthcare organizations told HealthITSecurity.com that they believe the biggest impact will likely be on smaller healthcare organizations. The reality for these organizations is that they must account for projects such as ICD-10 or Meaningful Use and upgrading their XP machines may go on the back-burner out of necessity. Without the proper funding and IT security talent available to some providers, these security concerns become that much more difficult to manage.
Stephen Person, Network & Security Engineer at North Valley Hospital and HealthCare Information Security and Privacy Practitioner (HCISPP) said he guarantees that many organizations are looking at the end-of-life of Windows XP.
The obvious fear is that there’s someone out there squatting on a vulnerability that they don’t know about yet and as soon as the support life ends, they’re going to have this XP zero-day. I believe that probably what’s happening is everyone is containing their environments as tightly as they can at the network level and at the access control level. And [most organizations should] have a plan to get off of XP [if they're already not].
Some organizations may be pegged in a hole at the moment, Person explained, because there are some healthcare vendors that may not support newer environments. Therefore, those organizations wouldn’t have a choice other than to use XP. He said that organizations should look at potential Windows XP upgrades from a risk perspective and treat their environments as though XP vulnerabilities are the reality. “We’re security, so we need to be paranoid about everything,” Person said.
Jeffrey Brown, Lawrence General Hospital CIO, echoed some of these thoughts as he explained that his organization tries to be very proactive about end-of-life hardware and software. Lawrence General has a whole program in place that tracks and monitors where it’s at in terms of end of life technology and it continually monitors that list. “We do have a few rogue machines that are on XP and we have a nice transition plan for those,” he said. “But I think about those thousands of smaller community hospitals where I can see that kind of transition being burdensome.”
Brown also offered a reminder that Windows XP end of life support isn’t necessarily treated in a vacuum among organizations that have multiple responsibilities they’re dealing with, especially in 2014. These projects include ICD-10, Stage 2 Meaningful Use, and growing security needs such as BYOD policies.
In isolation, the transition from Windows XP might not seem like a big leap. But for resource and financially-constrained organizations that are dealing with a multitude of these other complex problems, it’s a small thorn in their side that could ultimately end up being a bigger deal than most people anticipate.
Phil Alexander, Information Security Officer at UMC Health System, also agreed that he’s worried about smaller organizations dealing with the XP end of life. He said that even at UMC, there are some legacy apps that it can secure by putting them into a firewalled-off area because it has the resources to do so.
In general, it scares me more for smaller organizations such as clinics and doctor’s offices that don’t have the resources to be able to [upgrade their operating systems]. Many of them don’t have a dedicated security person on staff.
Alexander added that he believes many organizations, including his own in UMC, moved up too slowly with the upgrade from Windows XP to Windows 7. He said that about 15 percent of UMC’s machines are currently in the process of being upgraded to Windows 7 and the migration was mainly precipitated by the killing of XP support. “We’ll meet the deadline, but we shouldn’t be this close to it,” he said.