As Windows XP security updates cease, what's next for healthcare providers?

Microsoft, on Tuesday, ended Windows XP security patches, no longer offering end-user support for organizations using the operating system, and possibly leaving systems vulnerable to breaches and attacks. So what does this mean for health IT professionals who still have Windows XP systems installed at their organizations?

Kevin Fu, a medical device security researcher, spoke to HealthcareInfoSecurity about how healthcare organizations using Windows XP-based machines absolutely need short and long-term strategies regarding how they'll address cybersecurity.

"Having your Windows XP machines segmented away [in separate networks] is not going to be a perfect solution, but it can at least buy you a little bit of time," Fu said. "In the longer view, healthcare organizations--especially hospitals--need to come up with a strategic effort to get off XP."

Unfortunately, XP in hospitals is fairly dominant, Fu pointed out. There are risks to both manufacturers and patients regarding  XP medical devices, and security risks posed by other XP-based systems in healthcare, like admissions software and electronic health records systems.

"If the systems are going to be out there indefinitely with no plans to retire [them], then I think [healthcare providers] are just asking for trouble," Fu said.

Meanwhile, Gene Thomas, vice president and CIO at Memorial Hospital in Gulfport, Miss., told HealthITSecurity that his organization has been prepared for the situation for a long time. Memorial, he said, is in the middle of an electronic health record system replacement. To that end, he said, the hospital plans to use virtual desktops to deliver work stations to end users. 

As FierceITSecurity reported in February, more than one-third of 641 enterprises surveyed by Tech Pro Research have no plans to upgrade from Windows XP because they have crucial software tied to the aging operating system.

"While it might be costly for enterprises to upgrade to a more modern version of Windows because of existing software, the costs from a security breach will far exceed the costs from migrating away from XP," FierceITSecurity editor Fred Donovan wrote earlier this month.

As reported in February, the networks and Internet-connected devices of healthcare organizations--from hospitals to insurance carriers to pharmaceutical companies--are being compromised at an "alarming" frequency, according to analysis of malicious traffic by The SANS Institute.

To learn more:
- read the HealthITSecurity article
- read the Microsoft post
- read the HealthcareInfoSecurity article

Related Articles:
As Windows XP support deadline approaches, security concerns mount
Hackers attack prominent med device makers' networks
NIST cybersecurity framework: How it will impact healthcare
Hospital breach exposes more than 405,000 records
Most health IT execs unprepared for a data breach
Health department breach impacts 780K Medicaid patients

Suggested Articles

Premera Blue Cross will pay $6.9 million to HHS over a data breach six years ago that exposed 10 million people's health information.

United Airlines is working with health company Color and GoHealth Urgent Care to roll out the first COVID-19 testing program for air travelers.

The potential long-term impacts of COVID-19 on how Medicare Advantage's star ratings are calculated remain unclear, experts say.