Roughly two weeks ago MLA released a new version of its website. Right away librarians stuck (due to institutional standards) on IE 8 started complaining that the new MLA site did not display properly on IE 8. The good news is that the folks at MLA know of this problem and are working with the web developer to fix it and others. The bad news….the number of librarians stuck on IE 8 might be indicate a bigger problem for hospitals as a whole. My guess (and this is totally hypothetical) is that a many people who are stuck on IE 8 are stuck because they can’t upgrade to IE 9+ because they are on Windows XP.
My husband works for a company that creates an enterprise content management software system that is used by over 1,500 healthcare provider organizations representing more than 2,500 facilities. Sometimes our jobs deal with similar issues, sometimes they do not. This is one of those times that they did. I happened to mention the whole IE 8 problem with my husband and I think I started to see smoke billow out of his ears. Since the kids were already asleep for the night, I figured I touched on a hot topic. He told me that this has been a big problem in healthcare and banking for several years. Many of the hospitals running IE 8 are also the same organizations that are still running Windows XP. (While IE 8 can run on Windows 7, IE 9+ cannot run on Windows XP.) Not only did his company decide to stop supporting XP they recently decided to no longer support IE 8.
Windows XP is NOT supported by Microsoft. Being on Windows XP is a security risk. Just yesterday the Wall Street Journal, reported on a newly discovered security hole in Internet Explorer versions 6-11 in the article “New Browser Hole Poses Extra Danger for XP Users.” According to the article the “coding flaw would allow hackers to have the same level access on a network computer as the official user.” Yeah I echo the WSJ in saying “that’s really bad.” Microsoft is working on a fix, but that fix will not be available to XP users. The Forbes article title “Microsoft Races To Fix Massive Internet Explorer Hack: No Fix For Windows XP Leaves 1 In 4 PCs Exposed,” pretty much says it all. A 13 year old operating system still represents 25% of the world’s PCs. The cyber security software company, FireEye, revealed a “hacker group has already been exploiting the flaw in a campaign dubbed ‘Operation Clandestine Fox’, which targets US military and financial institutions.” While the WSJ article says FireEye said attacks were mainly targeted at IE 9-11, this security flaw is still a major problem specifically because Microsoft will not offer a patch for XP. Basically once Windows Vista, 7 and 8 machines are patched….what system is left to hack? One that doesn’t even have a patch and users refuse to upgrade.
It isn’t like the XP rug was pulled out from under users. On the contrary, XP users have know for 2 yrs that XP would be unsupported. According Forbes, Microsoft “repeatedly sent a pop-up dialog box to reachable Windows XP machines” with end of support information. Software developers including my husband’s company have warned customers that XP will no longer be supported by Microsoft and as a result they will no longer write software for XP nor support software on XP machines. My husband told me how they have contacted their hospital clients of regarding XP yet the clients haven’t upgraded nor have any real plans to upgrade immediately.
So we get the fact that have a operating system that is no longer support is bad and could lead to security problems. But when your a hospital and the security of patient information is paramount to your existence, second only to treating patients, then you have a major problem. The HIPAA Security Rule section 164.308(a)(5)(ii)(B), organizations with sensitive personal health information are required to protect their systems from malicious software.
Several articles have stated that failure to upgrade from Window XP is a violation of HIPAA.
- Just 12 weeks to get rid of Windows XP. Mike Semel, January 13, 2014. 4Medapproved.
- Will Your Organization Lose its HIPAA Compliance? Laura Hamilton, December 24, 2103. Addictive Analytics Blog.
- What the Windows XP Sunset Means for HIPAA Compliance: An Interview with HIPAA Attorney James Wieland. Laura Hamilton. April 8, 2014. Addictive Analytics Blog.
- Upgrade from Windows XP to Remain HIPAA Compliant. Anuja Vaidya. May 30, 2013. Becker’s Healthcare.
- How will Windows XP end of Support Affect Health IT Security? Patrick Ouellette. March 27, 2014. HeathITSecurity.
Mike Semel’s article states, “Just having a Windows XP computer on your network will be an automatic HIPAA violation— which makes you non-compliant with Meaningful Use— and will be a time bomb that could easily cause a reportable and expensive breach of protected patient information. HIPAA fines and loss of Meaningful Use money can far outweigh the expense of replacing your old computers.”
Sound a little drastic? It doesn’t seem so when you look at Laura Hamilton’s interview with HIPAA attorney James Wieland,
Additive Analytics: Let’s say that a hospital computer is still running Windows XP after the end-of-life (EOL) on April 8. Then a virus compromises the machine, and attackers steal personal health information (PHI). What are the legal ramifications for the healthcare provider?
James: On those facts, it would certainly appear to be a breach, reportable under the HIPAA breach notification rules to the individuals and to the Secretary. Breaches are subject to investigation and may result in penalties.
Hmmm we just found out that there is a major security flaw with Internet Explorer which could lead to a breach and machines running XP will NOT have a fix from Microsoft. What happens when the hacker group that FireEye discovered (or any hacker group) decided to exploit the healthcare side of things?
To me the IE 8 design problem for MLA.net opened my eyes to the greater XP problem within healthcare.