Cyberthreats Looms with the End of Windows XP Support
Posted April 2, 2014
Next Tuesday is the day that information technology (IT) professionals have warned users about for years: the end of Windows XP support. This event has raised concerns among healthcare facilities, many of which use older equipment that run on the XP operating system.
Many hospital IT departments have heeded the warning and taken steps to protect themselves as a result of federal programs like “meaningful use” of electronic health records. Adopting meaningful use has led to assessments that identify the risks of end-of-life software, said Matt Braun, director of networking and infrastructure at the University of New Mexico Hospitals and Health Sciences Center.
However, healthcare facilities have faced some difficulties, particularly when it comes to replacing medical equipment that runs on software. “There is a gross mismatch between the life cycle of a medical device and the life cycle of off-the-shelf software,” Braun said. “Even if the hospitals want to replace equipment, the manufacturers have been slow to adopt. In the spring 2014, we have major medical device vendors trying to sell brand new equipment based on Windows XP.”
Experts have long highlighted this problem. At the 2013 AAMI/FDA International Conference on Medical Device Standards and Regulation (ISC), Kevin Fu, an associate professor of computer science and engineering at the University of Michigan in Ann Arbor, said that some manufacturers don’t take security into consideration early enough in the design concept phase. Failing to do so is a mistake, as it is not so easy to bolt on solutions later, he said.
Indeed, after next week, bolting on security solutions for some devices will be a major hurdle. After April 8, 2014, technical assistance and automatic updates for the operating system will no longer be offered. While computers with this operating system will still work, they also will be more vulnerable to security risks and viruses. As Tim Rains, who manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft, noted on a blog post last summer, once Microsoft releases security updates for supported versions of Windows, attackers try to reverse engineer them. The attackers will assess the vulnerabilities and see if XP shares them. Facilities that don’t upgrade also won’t be able to meet basic compliance with the Health Insurance Portability and Accountability Act.
Many would say hospitals should upgrade or replace these machines. However, as Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center in Boston, noted during last year’s ISC, the estimated cost to replace these machines would be $1.2 billion every year.
Points of Attack
Microsoft said last year that cyber criminals will be able to attack Window XP-based system when users are performing many seemingly mundane tasks—surfing the Internet, opening e-mails or using instant messaging, or using USB drives. In spite of Microsoft’s warnings, XP remains the second most popular operating system in the world behind Windows 7 in terms of Internet usage, according to data from StatCounter, the independent website analytics company. In the United States, XP is in third place in terms of Internet usage, coming in at 15%.
"Despite the stark warnings and publicity surrounding the end of support … it appears that significant numbers of people are still using XP and sleep walking into a potential minefield of security and virus risks," said StatCounter CEO Aodhan Cullen in a prepared statement.
So while upgrading or replacing machines might be costly, with Windows XP support expiring, continuing to use it would “irresponsible,” Fu said in an e-mail. “Windows XP was designed for a different era of security threats, now long gone,” he said. “Each year, the flu vaccine is reformulated to meet changing threats. Imagine using an expired flu vaccine manufactured 13 years ago, saying that everything is OK because the vaccine is stored behind a firewall. That's Windows XP,” he concluded.
For those users who fail to upgrade, the impact is hard to predict, said Braun. “There are concerns in the security community that the bad guys are ‘hoarding’ XP vulnerabilities, waiting to use them until after the end of support so there won't be patches. The reality of the situation is that for many of these devices, hospitals have had to implement compensating controls for years because even when XP was supported the devices could not be patched in a timely manner,” he added.
While Braun doesn’t foresee an “XP apocalypse,” it will become increasingly difficult to maintain systems with XP components, contributing to reliability problems.
Users should also be aware that there are end-of-support dates with all Windows products and systems. The end-of-extended support dates are as follows:
- Windows XP: April 8, 2014
- Windows Vista: April 11, 2017
- Windows 7: Jan. 14, 2020
- Windows 8.1: Jan. 10, 2023
For more information, go to the following Microsoft page: http://windows.microsoft.com/en-us/windows/lifecycle
FDA Points Manufacturers to AAMI Cybersecurity Recommendations
Agency Aims to Guard Infusion Pumps against Cyberthreats
Primer Outlines Strategies for Combating Cyberattacks in Healthcare
AAMI Promotes Proactive Approach to Healthcare Cybersecurity in Wake of Hospital Ransomware Attack