Office of the Chief Information Officer
Vice President for Information Technology
Windows XP Notice
Windows XP End of Life Notice
As you are probably aware, Microsoft has announced the “End-of-life” for Windows XP. As of April 8, 2014, Microsoft will no longer provide any security patches, updates, or support for this 12 year-old operating system. This will significantly increase the vulnerability of any device still running Windows XP at that time. Cyber-criminals are poised to attack any Windows XP systems they can still get to after April 1st, especially through the external Internet.
Due to the risks involved, many higher education and healthcare organizations are blocking external and internal network access to Windows XP devices. At MUSC, we will be blocking only external Internet access to these devices. Windows XP devices will still be able to access resources on the internal MUSC network. This change will occur on April 1, 2014.
In order to meet MUSC's legal and compliance requirements, there will be no exceptions: general external Internet access can no longer be permitted from Windows XP systems on MUSC's network after April 1st.
If you have a Windows XP device that cannot be upgraded, and the device needs to run an application that requires the use of one or more specific external Internet resources, please contact the OCIO Help Desk at 2-9700 as soon as possible. OCIO will need to perform a risk assessment, and determine exactly which specific external Internet resources are needed in order for the Windows XP machine to perform its required functions. MUSC's network security controls may then be configured to permit access to the specific external Internet resources that are required.
This quote sums up the gravity of this situation in regard to the HIPAA Privacy Rule: “In the event of a breach, it will be very hard for legal counsel to argue that hospital administrators took “reasonable and appropriate” measures to protect private health information if the system was attacked via an unpatched, unsupported 12-year-old operating system.” Laura Hamilton, Additive Analytics
Frequently Asked Questions:
How do I get an exception for my Windows XP Machine? NO MACHINES WILL BE EXEMPT FROM THIS INITIATIVE. As stated by MUSC's Privacy and Compliance Officers, "The OCIO does not have the authority to grant exceptions to this change. The risk is too great.” If you have any questions about this, please contact Mike Wheeler from the MUSC Compliance Office at firstname.lastname@example.org.
What will happen if I am still running Windows XP after April 1, 2014? Your access to the internal MUSC network will not change. Many organizations are blocking internal and external network access, but MUSC will only be blocking external Internet access.
What if my Windows XP machine is connected to a medical device that only supports Windows XP? Your device will still have external Internet access blocked. If the device needs external Internet access to a specific resource, the OCIO and your compliance office must perform a risk assessment. Firewall exceptions for external Internet access will ONLY be made for the exact IP address and port number of the specific resource needed for the machine to be used for business functions.
How do I get my machine upgraded to Windows 7? Call the OCIO Help Desk at 2-9700 and request a field engineer to assist you with the Windows 7 migration. If your computer hardware is too old to run Windows 7, we will work with you to provide a system that meets Windows 7 requirements.
What if my machine is LYNX XP due to PICIS applications being installed? All LYNX XP PICIS machines will have external Internet access removed. However, the OCIO will have a workaround available to allow these machines to use an internal server to access the Internet as needed to perform business functions.
How can I tell if my computer is on Windows 7 or not? For Windows 7 computers, in the bottom left hand corner of the screen, you will see the Microsoft logo for the start menu. Windows XP computers have a green button that says Start.
Can I use Windows XP on my home computer to access MUSC systems? It is strongly recommended that you upgrade your home computer. As explained above, staying on Windows XP puts your personal and MUSC data at risk.
Thanks for your understanding,
Sent on behalf of the OCIO Endpoint Security Team