April 8 has come and gone. Microsoft XP support is over. Our use of XP-based picture archive and communications system (PACS) should be as well. But it’s not.
With April 8 a couple months behind us, and everyone in the PACS community well aware that XP support is finished, many XP users are still using this antiquated system.
To see just how deeply engrained XP remains, scan today’s job postings for PACS administrators and you will see a continuing requirement for knowledge of XP.
Why? Because …
• much of PACS software is only certified for Windows XP;
• this legacy software cannot be exported to Windows 7 or 8;
• many workstations are old and will run slower, if at all, on the 64-bit Windows 7 and 8; and
• insufficient resources have been budgeted for the upgrade.
It’s understandable. Upgrading an XP-based enterprise PACS may entail the replacement of hundreds of PCs and their software. And that is just for PACS. XP is a core operating system (OS) for many healthcare IT systems. The cost in time and money to replace them will be huge; the testing and verification process complex.
Given this downside, it is all too easy to procrastinate, to dismiss April 8 as a soft deadline. After all, XP-based PACS worked the same April 9 as they did the day before. Microsoft didn’t pull the plug on XP — just its support. Strapped for resources, providers can tuck their XP-based systems behind firewalls and just keep chugging along.
Eventually, however, the piper will play. And the music won’t be pretty.
Over time, daily operations will slow, burdened by technical issues that have no solution because the underlying OS is no longer supported. Many software vendors will no longer support their XP-based products, because they will not be getting XP updates from Microsoft. And, with no more patches to fend off newly hatched viruses, spyware and other malware, security will become a nightmare.
Microsoft is selling the idea of an upgrade to a modern OS (e.g., Windows 8.1), as providing “dramatically enhanced security, broad device choice for a mobile workforce, higher user productivity and a lower total cost of ownership through improved management capabilities.” After 12 years of supporting XP, I think Microsoft simply wants to move on. The company wants you to do the same. So does Uncle Sam.
The HIPAA Security Rule
The U.S. Department of Health & Human Services link www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html states that “any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable … because the operating system is no longer supported by its manufacturer)”.
This begs the question: Why are we, as one of the most forward-thinking branches of medicine, still using a 12-year-old operating system? The end of XP should have taken no one by surprise. The transition to Windows 7 could have been accomplished years ago. Yet, here we are, on the verge of a PACS crisis that could happen one institution at a time.
Functioning without security patches in a world fraught with cyber attacks is a sure formula for enterprise-wide failures, hacked databases, lawsuits and fines.
If you have any doubts about the horrors that can befall such procrastination, look no further than General Motors (GM) and the faulty ignition switch its executives covered up for a decade.
The clock on antiquated PACS is ticking.
Greg Freiherr has reported on developments in radiology since 1983. He runs the consulting service, The Freiherr Group. Read more of his views on his blog at www.itnonline.com.