As far as TV shows are concerned, there are a number of them which my now grown kids and us, the parents, equally enjoy; for example most recently Breaking Bad. But then there are some, where … well, let me phrase it politely, the older generation does not quite see eye to eye with the younger. The Walking Dead would fall into that category; I am definitely not getting the point.
Or maybe it is that I am dealing with too many Walking Dead, meaning ugly things you just can’t kill, during my day job? And as of today, there is another one to add to that list – the official end of support of Windows XP. And a big one that is.
After 12 years in the market, Windows XP certainly is established well and, not surprisingly, its end does not come easy:
- According to a CNN Money article from March, 95% of bank ATMs are running on Windows XP (although other articles have placed the number somewhat lower at 60% or 75%, respectively, but still).
- The total number of computers still running XP by late last year was estimated to be as high as 1/3 or the world’s 1.6 Billion PCs.
- Both, the UK and Dutch governments have entered into multi-million dollar contracts with Microsoft to support 10 thousands of Windows XP computers still used by government agencies (with completion of the migration expected to last a few more years).
- It is being speculated that cyber criminals have been holding back on attacks and have been collecting Windows XP vulnerabilities until after its end of support.
I believe that this problem also affects the healthcare industry and we have a serious set of challenges to deal with. The number of systems and the platform diversity is high, which makes any migration project difficult. Add to that system interdependencies, e.g. a certain web application requiring IE 6, or another client-side application depending on a specific server version, which requires a specific platform …. you get the picture.
Then the need to actually shut down systems to upgrade the OS, migrate data and user profiles, potentially upgrade the hardware, etc. In healthcare, there is never a good time to do that, and certainly not with the majority of your desktops. And then there are medical devices, where the manufacturer’s FDA-approved version may be running Windows XP (or sometimes even older versions) and even though upgrading the OS may not require obtaining a new FDA approval, it certainly requires re-testing of the device by the manufacturer to assure it’s continued safety and effectiveness.
The healthcare press has also addressed this topic. Unfortunately, I have seen a lot of misinformation as well, the short version being: If your OS is end of support you can’t patch anymore, and if you can’t patch you are out of HIPAA compliance. That, luckily, is not correct, as for example discussed by Health and Human Services here: http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html.
Basically, what HHS is saying is that it all comes down to your Security Risk Analysis. If you can’t patch your OS, you may implement (and document your decision in your Risk Analysis, of course) what security professionals call a “compensating control”; i.e. alternative security measures which provide equal or even better protection.
Host Intrusion Detection / Prevention Systems (HIDS/HIPS), as for example Symantec’s Critical Systems Protection product, can be such a compensating control by providing protection for unpatched devices and in may even exceed the native security features and properties of the OS.
Mind the Air Gap
Another approach taken by many is to isolate critical systems (or subnets of critical systems) from the main network. This may be a useful path forward, but may not close all vulnerabilities. Specifically, such devices or subnets remain vulnerable to so-called “air gap attacks” via removable storage media, e.g. USB flash drives. Such isolation architecture is only effective if it goes hand in hand with strict portable media usage policies and technical controls to prevent the introduction of malware across the air gap.
In summary, as so often in Health IT, it’s complicated. But there are solutions available that can be used to effectively mitigate the challenges of unsupported operating systems, manage complex migration projects, and assure compliance. Further discussion of the topic can be found here: http://www.youtube.com/watch?v=5tDqWjTMbz8
Unfortunately, the Walking Dead are among us and there is no way to get rid of them anytime soon. But, as discussed, there are alternatives that allow us to move forward while remaining compliant and protected.