It was Geoffrey Chaucer in the year 1374 who said the words “all good things must come to an end.” Those words are echoing once again as the sun sets on Microsoft’s XP operating system and Office 2003 on April 8th of this year. We could wax eloquently about the adoration PC users worldwide have had, and still do, for Windows XP. It wasn’t just that XP replaced the Ford Edsel of operating systems, Windows ME; it was that XP proved to be an easy to use, highly functional, and extremely stable software platform that also benefitted from the near total realization of the plug-and-play concept for devices and accessories. So it ends, as per Microsoft’s Support Lifecycle policy, and with that so ends its HIPAA compliance. What does it mean to you, why does it matter, and what can you do about it?
What Does It Mean to You?
First and foremost, on April 9th of this year, any systems you are running that have XP or Microsoft Office 2003 on them will NOT stop working. In fact, few if any users will notice any difference at all after April 8th. What is changing is that Microsoft, and equally important to note, most other independent software vendors (ISVs), will stop creating and publishing updates, bug fixes and patches. Most hardware manufacturers have already stopped developing XP-compatible drivers for their newer devices. Although Microsoft and others have announced they will extend antivirus coverage until mid-2015, they also caution it does not mean virus protection will be effective against new attacks, nor does it mean XP can be considered HIPAA compliant.
Make no mistake; this is a seismic shift for the computing world. It’s estimated by Net Applications that 37% of the PCs around the world are still running XP. A scan of our own healthcare IT clients shows a similar percentage. While the adage of why fix what isn’t broken is frequently sage advice when it comes to technology, it isn’t the functional obsolescence that should motivate you to replace XP–it’s that keeping it exposes healthcare organizations to regulatory issues.
Why It Matters
In reality, the migration away from XP can continue at the leisurely pace that has been happening for the past few years, but for one very important concern—it’s no longer HIPAA compliant. Simply stating something is not HIPAA compliant does not by its very statement mean it’s a breach of HIPAA laws. What it does mean is you now have an additional vulnerability in an era of increased HIPAA enforcement with a dizzying array of new and sophisticated hacks and exploits targeting the healthcare industry.
A report from Experian Data Breach Resolution describes it as a “perfect storm” for breaches in the healthcare industry in 2014. Fueling the fire is the street value of patient data, pegged at $50 per record by the World Privacy Forum. With the advent of the Omnibus Rule, the responsibility now rests on your shoulders to not only identify a breach, but also to take very specific steps in the event a breach has occurred, often including notifying your patients, the media, and the Department of Health and Human Se vices.
I, for one, wouldn’t blame you for wanting to hold on to XP for a little while longer. I’ve written previously in VEIN Magazine about Windows 8 (volume-6-issue-1) being a winner for healthcare, and it certainly will be. With the flexibility it gives application developers, Windows 8 will evolve into an exceptional healthcare provider’s companion. But it’s not there yet, and XP works—and works well. So if you don’t intend to transition away from XP before April, here’s what you need to know.
You will, in no uncertain terms, be exposing your PHI to attack, and you will not be able to rely upon Microsoft, your anti-virus vendor, your hardware firewall, or your IT company to protect you. Furthermore, if you do in fact have a breach, you can expect the Office for Civil Rights to penalize you for not taking all reasonably practical and available steps to protect yourself. With fines starting at $50,000, the wisdom of the decision to retain XP could prove very costly.
What Can You Do about It?
Once you come to the realization that keeping XP and Office 2013 running in a healthcare environment post-April 8th isn’t worth the risks, you have three paths you can choose. Each path will bring your technology up to date, and none of the paths are mutually exclusive—you can mix and match the best solution for the circumstance or the particular workstation usage.
The Three Paths in the Post-XP World
First, and most obvious, is to upgrade the workstations running XP to new workstations. By that, I mean both new hardware and operating system, or purchase Windows 8 and install it on the existing box. If you’re upgrading, Microsoft recommends checking your systems with the Windows 8 Upgrade Assistant first to ensure compatibility. They’ve provided a Windows 8 upgrade tutorial and utility that can be found at Microsoft’s website. This will need to be a clean installation, meaning any existing data, files, and configurations will be lost. For most practices, XP workstations are nearing the end of their useful life and won’t meet the minimum recommended specifications. That means the purchase of new PCs. While new PCs is a good path, there are cheaper, more secure options.
A second avenue to consider is keeping your existing workstations that are running XP and converting them to virtual workstations. This includes some work (and dollars) on the server side of your network, but converting outdated PCs to virtual workstations will bring you to a current operating system without the hardware limitations of the PC itself. This may prove to be a cost-effective solution for those workstations that are still in good enough condition to warrant keeping. But what if the PCs are too old to continue using, and you don’t want to invest in a fleet of new PCs?
If you need to replace PCs, the option to replace them with thin clients will make sense for many practices. In essence, you are replacing PCs with small units that access your server, where a virtual desktop is created. For most users, the experience is transparent; there’s almost no difference in usage. For the administrator and the practice owners, there’s a considerable difference.
For starters, because user capabilities are centrally controlled and managed, you’re creating a more secure computing workplace; users can’t simply slip in a disk or a flash drive and download proprietary information. With HIPAA rules and the threat environment being what it is, this should be an overriding concern for most medical organizations.
In addition to greater security, thin clients are cheaper than workstations. To be fair, as I mentioned earlier, there is work and/or added cost on the server side to consider, but depending on the size of your organization, the cost benefits will either be realized immediately or over a reasonable time period. Part of that cost savings should also come from your IT company since managing a thin client virtual office network is less time consuming for them.
The third benefit of virtual workstations is they are more energy efficient, particularly in comparison to older PCs, like those that would still be running XP. While this energy savings may be more pronounced for larger organizations, money saved is still money saved, and in this climate of decreasing reimbursements and increasing costs, every dollar you can cut is worth keeping.
The sky is not going to fall on April 9th, and for most of the country it will be just another day. But for the healthcare industry, it marks yet another milestone where what was satisfactory and status quo yesterday no longer is so, and those who don’t take proactive action will face greater risks and potential fines. However, if you start your planning soon, you could find yourself in a better, more cost-effective, and safer computing environment.
For many, losing XP will be like losing a reliable old friend. Technology marches on, without a start button. RIP XP.