Skip Navigation
 
The Catalyst

Microsoft Windows XP changes ahead starting April 1

By Clay Taylor
OCIO


As you may be aware, Microsoft has announced the “end-of-life” for Windows XP operating system. As of April 8, Microsoft will no longer provide any security patches, updates or support for this 12 year–old operating system. This will significantly increase the vulnerability of any device still running Windows XP at that time. Cyber–criminals are poised to attack any Windows XP systems they can still get to after
April 1, especially through the external Internet.

Due to the risks involved, most higher education and health care organizations are blocking external and internal network access to Windows XP devices. MUSC will be blocking only external Internet access to these devices. Windows XP devices will still be able to access resources on the internal MUSC network. This change will occur April 1.

To meet MUSC’s legal and compliance requirements, there will be no exceptions: general external Internet access can no longer be permitted from Windows XP systems on MUSC’s network after April 1. 

If you have a Windows XP device that cannot be upgraded and the device needs to run an application that requires the use of one or more specific external Internet resources, contact the OCIO Help Desk at 792-9700. The OCIO will perform a risk assessment to determine exactly which specific external Internet resources are needed in order for the Windows XP machine to perform its required functions. MUSC’s network security controls may then be configured to permit access to the specific external Internet resources that are required.

This quote sums up this situation with regards to HIPAA’s 1996 privacy rule: “In the event of a breach, it will be very hard for legal counsel to argue that hospital administrators took “reasonable and appropriate” measures to protect private health information if the system was attacked via an unpatched, unsupported 12 year–old operating system.”

Windows XP end-of-life FAQs:

How do I get an exception for my Windows XP Machine?
No machines will be exempt from this initiative. According to MUSC's Privacy and Compliance Officers, "The OCIO does not have the authority to grant exceptions to this change. The risk is too great.”

What will happen if I am still running Windows XP after April 1?

Your access to the internal MUSC network will not change. Most organizations are blocking internal and external network access, but MUSC will only be blocking external Internet access.

What if my Windows XP machine is connected to a medical device that only supports Windows XP?

Your device will still have external Internet access blocked. If the device needs external Internet access to a specific resource, the OCIO and your compliance office must perform a risk assessment.  Firewall exceptions for external Internet access will only be made for the exact IP address and port number of the specific resource needed for the machine to be used for business functions.

How do I get my machine upgraded to Windows 7?

Call the OCIO help desk,792-9700, and request a field engineer to assist you with the Windows 7 migration. If your computer hardware is too old to run Windows 7, we will work with you to provide a system that meets requirements.

What if my machine is LYNX XP due to PICIS applications being installed?
All LYNX XP PICIS machines will have external Internet access removed. However the OCIO will have a workaround available to allow these machines to use an internal server to access the Internet to perform some business functions.

March 21, 2014
 
 
 

© 2013  Medical University of South Carolina | Disclaimer