“After 12 years, support for Windows XP will end on April 8, 2014. There will be no more security updates or technical support for the Windows XP operating system. It is very important that customers and partners migrate to a modern operating system such as Windows 8.1.”
So begins the official declaration on the Microsoft website. There are still many active instances of the Windows XP operating system, including one on my home PC. Should we be more worried about “no more security updates” or “no more technical support”? Which is likely to cause more pain, and should we decide to continue using the soon-to-be unsupported operating system?
According to a recent article published by Retail Banking Research in London, “Virtually all ATMs around the world use a Windows operating system and many still use XP.” This could leave those ATMs subject to attack, should there be new security holes discovered in the XP operating system after April 8. While there are extended service contracts that customers can purchase, those only provide support and not new patches. Such contracts will also become increasingly expensive, thus are considered to be only a short-term solution. In the case of ATMs, the article mentions further security measures that are already deployed that will most likely thwart attacks while manufacturers and banks deal with upgrading their operating systems.
“Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?”
This was a recent question posed to the Office of Human Rights, the arm of the government charged with enforcing HIPAA and HITECH rulings and mandates. While the answer is vague, it does say:
“ … any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).”
Taken to its logical conclusion, this means that after April 8, any computer system running Windows XP and generating or housing private patient information is not in compliance with HIPAA regulations. Do you have any vulnerable systems or do you know of any systems that could be out of compliance in the very near future? Do you have plans to remedy these soon?
According to market share statistics site netmarketshare.com, Windows XP is still running on 29 percent of desktop systems worldwide. The end-of-life/end-of-support for XP was announced by Microsoft in June 2008 through end user notifications, so why the reluctance? I don’t think that it is apathy as much as familiarity. Windows XP has been around for so long that it has become a trusted and—thanks to the additional service packs— stable operating system. Why change? Changing requires time and disruption to our normal routines, and the alternatives may not be that enticing. Do we switch to Windows 7 or the much maligned Windows 8, or are we still holding out for something better?
This blog is as much about change as it is about technology. I know that in my own life, I sometimes resist change until I am forced to face it head on, like in the case of increased security vulnerabilities in my operating system. To not change is comfortable and to change is hard. Sometimes, though, it is better and actually easier to change before we are the last one to do so.
I still have one last home PC on Windows XP. What do you recommend? Windows 7? Linux? Let me know your thoughts. I think it is time for me to change.
Kelly Brown is an IT professional, adjunct faculty for the University of Oregon, and academic director of the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.