Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Blogs

Some Windows XP Users Can't Afford To Upgrade

  • Comments 9
  • Likes

I just read a post on slashdot:

During a recent trip to an eye doctor, I noticed that she was still using Windows XP. After I suggested that she might need to upgrade soon, she said she couldn't because she couldn't afford the $10,000 fee involved with the specialty medical software that has been upgraded for Windows 7. Software written for medical professionals is not like mass market software. They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken. With many expecting Microsoft's upcoming end-of-support for XP to cause a security nightmare of unsupported Windows devices in the wild, it seems a good time to ask how many users may fall into the category of wanting an upgrade, but being priced out by expensive but necessary third-party software. More importantly, can anything be done about it?

Let me briefly give you some insight into a discussion I had a few years ago: I was in touch with a regulator for medical devices as I wanted to understand their approach to patch management for embedded software. The reason behind my ask was, that I talked to hospitals in this country and the CIOs all told me that they are not allowed to patch/upgrade because they would violate the accreditation of the device. So, when I talked to the regulator, they told me that they require only a proper risk management process by the vendor of the device (not an effective, just a process) and from there on they do not want to act. They told me that the hospitals need to increase pressure on the vendors to keep software updated and the vendor does not have the incentive.

This is one of the key scenarios, which scare me around Windows XP end of life. Machines which cannot be upgraded for legal reasons or because of economic pressure as described above.

Roger

Comments
  • run the XP mode inside of windows 7....

  • This is an opportunity for Windows Azure to offer XP installations.

  • It should work fine in XP mode on Windows 7.  I've used that when I had to use Access 97, and even older hardware devices that don't work past XP.

  • Downside with XP mode is that technically it is still an OS and come 11.5 months from now, it will still be vulnerable to security problems. Best suggestion would be to install a vanilla Win XP, transfer the software, license and data to that XP machine. Hard-code an IP address and set the firewall to deny all access to Internet related ports going in and coming out of the Xp machine. Vanilla means after the installation, to remove all non-essencial apps, disable IE, remove WMP, etc. The only way something attacks the XP VM is from the host.

    That said, I know quite a few who can't afford to by a new system. Seniors, unemployed, etc.

  • 2 problems:  Much of this software requires some sort of cert process, and the certification for medical use is invalidated if it is installed on an unsupported OS.  This is a legal/medical issue that needs to solved by changing laws and rules.  The other issue is that many vendors will not support their product if installed on unsupported software.  Doesn't matter what the problem is.  A lot of times, because of hardware communication, you cannot run the software in an emulator or under "compatibility mode".   I recall a time when I had installed some written-for-Win95 medical software on WinXP as we were upgrading our systems.  The software ran great for a couple of years when a difficulty arose.  When I talked to tech support they refused to offer any help since it was not running on Windows 95.  Didn't matter that it had been running fine on XP for a couple of years, they were NOT going to discuss the matter until it was properly installed on a supported OS.  Fortunately, I was able to deduce that the user had deleted an important file, and so I was able to solve the issue.  And we were paying $$$$ for annual support and licensing, the software had to be re-licensed every year to continue functioning.  I made it a high priority to find a replacement for it by the next licensing round...

  • I definitely understand these issues and I think that shielding the machine as Ed suggested is probably the one and only approach if you cannot migrate off for any reason. The legal/certification rules need to change. As I said above, the regulator definitely needs to get a different approach to these problems. E.g. in Australia, the government mandates the critical infrastructure to stay on the n-1 version and they have to prove that. This will not solve all problems – by far – but I hope it will drive a different view and behavior on the vendor side.

    On the other hand, I see too many customers who just did not even think about a migration, yet. This is scary

  • Microsoft has a stake in this game.  Some of their practices have encouraged developers to stay on old platforms, rather than encouraging the developers to update and upgrade.  Simplified and transparent licensing agreements would help, and I think that MS has made some progress the last few years, but my recollection of 5-10 years ago was that there was NO incentive to upgrade anything, and lots of incentive to stand firm on the tools we already knew.  There were substantial penalties to updating platforms at that time, with no upside benefit.  Even my current employer, one of the largest health systems in the US, has no incentive to update the main app server I use from Server 2000.  I believe that the support agreement with Microsoft just expired.  Perhaps if MS made all licenses for 4 years non-renewable it would encourage vendors, developers, and businesses to plan ahead?  

    I've been playing the healthcare game for a few years now, and there is plenty of blame all around.  But the small players, the small private practices, the shop with 2-3 PC's, they don't have the financial clout to change the game.  But it will be the small private practices that will get burnt by the security problems, that will have data lost or stolen, and they can least afford it.  It's the big software companies and the big health systems that have to make the changes, because that's where the $$ are coming from and going to that support these attitudes.  

  • Perhaps MS has the leverage to push some of these vendors?  Perhaps MS has the resources to help the little guys migrate?  Perhaps MS can provide some incentives to encourage the small offices?   I wish I knew the answer.  My dentist, my chiropractor, my eye doctor; all solo practices; they see only trouble ahead on the horizon, and no-one is giving them an answer.  I've talked to them, and they don't know what they can do.  They are having a budget crunch, and this is not the time for added expenses.  And now they are stuck between a rock and a hard spot.  

    I have a feeling that many owners of solo practices will be selling out and retiring very soon.  The game is no longer fun.

  • Ed's suggestion to setup an isolated, shielded XP system to run legacy apps is neat and should be used whenever possible; but in many cases it's just not practical in the real world.  A VM won't work for many of these apps, the vendors almost universally will not support that.  And the Vendor will want to remote in via WebEx or similar tool, and that won't work on the minimalist and secure VM.  And most people can't work with multiple boxes, no space/budget.  And every time you create a setup like this you have a special problem that will require continuity of support, and most small offices don't have the resources to do this.

    Changes in the game to encourage/enforce n-1 in Healthcare could be good.  I spent too many years maintaining legacy systems that were not replaceable.  My current employer still has quite a few of them but not my headache since I have stepped away from those responsibilities.  The vendors won't do it without a carrot or stick; and as long as there is no business case for it our administration will not do it.  And all that IT rank and file can do is to attempt to mitigate the situation.  

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment