Healthcare Information Security

Cybersecurity News

How will Windows XP end of support affect health IT security?

By Patrick Ouellette

- As is the case with most pending vendor support deadlines, the upcoming end of Microsoft Windows XP support on April 8, 2014 has been a polarizing topic in the enterprise and healthcare spaces. There are some organizations that may be unaware that Microsoft will no longer be providing security patches and others that are building Fort Knox 2.0 because of the XP end of support.

However, a few IT security professionals within healthcare organizations told that they believe the biggest impact will likely be on smaller healthcare organizations. The reality for these organizations is that they must account for projects such as ICD-10 or Meaningful Use and upgrading their XP machines may go on the back-burner out of necessity. Without the proper funding and IT security talent available to some providers, these security concerns become that much more difficult to manage.

Stephen Person, Network & Security Engineer at North Valley Hospital and HealthCare Information Security and Privacy Practitioner (HCISPP) said he guarantees that many organizations are looking at the end-of-life of Windows XP.

The obvious fear is that there’s someone out there squatting on a vulnerability that they don’t know about yet and as soon as the support life ends, they’re going to have this XP zero-day. I believe that probably what’s happening is everyone is containing their environments as tightly as they can at the network level and at the access control level. And [most organizations should] have a plan to get off of XP [if they're already not].

  • AHIMA session to focus on Breach Management Toolkit uses
  • Report: Healthcare endpoints facing myriad cyber attacks
  • HIPAA Privacy Rule Can Be Tool for Health Information Exchange
  • Using encryption at rest to enhance healthcare BYOD security
  • Healthcare Cybersecurity Needs Collaboration, Says AHA
  • Advocate Health Care Agrees to $5.55M OCR HIPAA Settlement
  • Hacking Accounts for 98% of Healthcare Data Breaches in 2015
  • What are the top 5 skills healthcare CISOs must have?
  • HIT Usability, Interoperability Key in ONC Plan, says AAFP
  • DirectTrust meets ONC HIE security accreditation goals
  • Federal Lawsuit Filed Following Alleged CVS Health Data Breach
  • EmblemHealth Data Breach Leads to $575K NY State Settlement
  • Are Cybersecurity Measures Improving After OPM Data Breach?
  • Why HIEs Must Hire, Train Qualified Employees
  • Deploying virtual security appliances in a healthcare setting
  • ONC Privacy and Security Tiger Team presents key issues
  • Sonoma Valley Hospital notifies patients of data breach
  • Making healthcare cloud data security decisions as a BA
  • New Stealthy Russian Hacking Tool Targets Government Agencies
  • HHS corrects errors, omissions in HIPAA omnibus ruling
  • HITRUST honing Common Security Framework for 2013
  • Radiology group uses virtual trust zones for HIPAA compliance
  • Cisco 2014 Annual Security Report identifies latest trends
  • Vt. takes health website offline to correct security issues
  • Glens Falls Hospital patients file suit over data breach
  • Post healthcare data breach Dos and Don’ts
  • Homeland Security Gains Cybersecurity Agency with New Legislation
  • Anthem Health Data Breach Could Compromise PII of 80M
  • Smart Wristband Raises Health Data Security, Privacy Concerns
  • Understanding HIPAA Regulations and Mobile Devices
  • Applying US-CERT IoT Security Best Practices to Healthcare
  • Creating Secure Healthcare BYOD Environments, Communication
  • Will Privileged User Abuse Affect Healthcare Data Security?
  • Utilizing Network Security to Prevent Ransomware Attacks
  • Business associates prepare for HIPAA omnibus compliance
  • Ponemon study analyzes data breach preparedness trends
  • OCR Recommends Healthcare Cybersecurity Best Practices
  • Are Small Healthcare Facilities Prepared for Data Breaches?
  • Associates in Psychiatry and Psychology Suffers Ransomware Attack
  • Firms Lack Cyber Insurance Despite Healthcare Data Breach Costs
  • How a healthcare CIO maintains IT security and efficiency
  • Blue Cross Blue Shield patient data breach details emerge
  • Will NAIC Cybersecurity Regulations Affect Healthcare Industry?
  • Healthcare Leads in Data Encryption Measures, Says Ponemon
  • Healthcare Organizations Struggle with Vendor IT Security Risks
  • Developing a health IT security program with new technology
  • Interoperability Program Comes to Florida Health System
  • Improving Efficiency with Healthcare Data Center Infrastructure
  • Potential Healthcare Data Breaches in NY and Calif
  • Avoiding healthcare security breaches: Using a multi-tier approach
  • New Jersey Passes Health Data Encryption Law
  • Unencrypted Laptop Stolen From UC San Francisco
  • Healthcare Interoperability: Patients Prefer Portals
  • Healthcare CSO on CHSI breach: Security technology decisions
  • The importance of a secure VDI delivery model in healthcare
  • Healthcare CIO perspective on BYOD, security vendor selection
  • EHNAC, HITRUST Combine HIPAA Security Criteria, CSF Framework
  • HHS Reviews HIPAA Regulations for Workplace Wellness Programs
  • Learning from the Community Health Systems data breach
  • Factoring healthcare BYOD policies into network security
  • Medical Identity Theft Increases 21%, Says Ponemon Study
  • Healthcare cloud security: Staying current with BAAs, SLAs
  • NTIA Privacy Principles Plan Parallels NIST Privacy Framework Bid
  • Why Health Data Security Still Has Catching Up To Do
  • Blue Shield of California Reports PHI Data Breach
  • Weighing the privacy risks of mobile health and fitness apps
  • Reps Push for Stronger Healthcare Ransomware Guidance
  • Report Discusses How to Approach Botnets, Cybersecurity Threats
  • PCAST: Update health privacy frameworks for big data usage
  • Healthcare Cyberattack Reported by 81% of Execs, Says Survey
  • Troy Medical Center patient data thief receives prison sentence
  • Stronger Healthcare Cyber Hygiene Can Improve Patient Safety
  • Can Smart Cards Reduce the Risk of Medical Identity Theft?
  • Health Data Breaches Expose Info. in NH, NJ and NY
  • Securing a healthcare mobile environment during EHR transition
  • Senate Approves Cybersecurity Information Sharing Act 2015
  • Sentara Healthcare aides indicted in tax fraud scheme
  • Why Health IT Security Needs a ‘Lifecycle Process’
  • Will OCR leadership changes affect healthcare organizations?
  • OIG: Federal, state health exchanges must improve security
  • Avoiding a Reactive Approach in Federal Health Data Security
  • NJ Atlantic Health System No. 4 in Security 500
  • Maximizing ONC, HHS Security Risk Assessment Tool’s uses
  • Incomplete encryption installation leads to veteran vulnerability
  • Is the HIPAA Security Rule Doing Enough for Healthcare?
  • Creating your Enterprise Healthcare Mobility Network
  • CIO addresses password change frequency, security innovation
  • Audit Finds Maryland Exchange Lacking in Data Security
  • Congress to Focus on EHR Use, Healthcare Interoperability
  • HIPAA Security Rule Requires Secure Disposal of ePHI-Laden Devices
  • Balancing risk management and patient data security technology
  • What Constitutes a HIPAA Violation?
  • St. Vincent Hospital notifies 1,100 patients of laptop theft
  • Understanding Health Data Security and Print Infrastructure
  • Balancing the Two Sides of the Health Data Security Coin
  • Committee Investigation Claims OPM Data Breach was Preventable
  • Retirement Community Reports Potential PHI Data Breach for 5.2K
  • Why Reducing Insider Threats Must Remain a Top Priority
  • 270,000 Put at Risk by Med Associates Healthcare Data Breach
  • Google Helpouts health services: HIPAA considerations
  • Some organizations may be pegged in a hole at the moment, Person explained, because there are some healthcare vendors that may not support newer environments. Therefore, those organizations wouldn’t have a choice other than to use XP. He said that organizations should look at potential Windows XP upgrades from a risk perspective and treat their environments as though XP vulnerabilities are the reality. “We’re security, so we need to be paranoid about everything,” Person said.

    Jeffrey Brown, Lawrence General Hospital CIO, echoed some of these thoughts as he explained that his organization tries to be very proactive about end-of-life hardware and software. Lawrence General has a whole program in place that tracks and monitors where it’s at in terms of end of life technology and it continually monitors that list. “We do have a few rogue machines that are on XP and we have a nice transition plan for those,” he said. “But I think about those thousands of smaller community hospitals where I can see that kind of transition being burdensome.”

    Brown also offered a reminder that Windows XP end of life support isn’t necessarily treated in a vacuum among organizations that have multiple responsibilities they’re dealing with, especially in 2014. These projects include ICD-10, Stage 2 Meaningful Use, and growing security needs such as BYOD policies.

    In isolation, the transition from Windows XP might not seem like a big leap. But for resource and financially-constrained organizations that are dealing with a multitude of these other complex problems, it’s a small thorn in their side that could ultimately end up being a bigger deal than most people anticipate.

    Phil Alexander, Information Security Officer at UMC Health System, also agreed that he’s worried about smaller organizations dealing with the XP end of life. He said that even at UMC, there are some legacy apps that it can secure by putting them into a firewalled-off area because it has the resources to do so.

    In general, it scares me more for smaller organizations such as clinics and doctor’s offices that don’t have the resources to be able to [upgrade their operating systems]. Many of them don’t have a dedicated security person on staff.

    Alexander added that he believes many organizations, including his own in UMC, moved up too slowly with the upgrade from Windows XP to Windows 7. He said that about 15 percent of UMC’s machines are currently in the process of being upgraded to Windows 7 and the migration was mainly precipitated by the killing of XP support. “We’ll meet the deadline, but we shouldn’t be this close to it,” he said.



    SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

    HIPAA Compliance
    Data Breaches

    Our privacy policy

    no, thanks

    Continue to site...