According to NetMarketShare (http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0) at the end of Feburary, 2014, 30% of all PC users were running Windows XP. Over the past year I’ve been working closely with a huge medical devices group. Don’t have a heart attack (especially if you have a pacemaker running on XP), but based upon what I’ve learned during that time, I anticipate the percentage of medical devices running on XP is a greater percentage than this. Several months ago many of the medical device manufacturers indicated they also use embedded XP for the GUIs to devices as well as to provide a link to external databases (containing vital medical data collected and used by the devices). Why?
– Because when they were created Microsoft had promised to support Embedded XP for “many more years.”
– Embedded XP configurations were considered to make it difficult for a wide range of viruses to affect the medical device.
– A large portion of medical devices were coded with C#/.Net, and there was often legacy C++ code that they wanted to continue using on XP.
Also, a large number of medical devices have very long life spans: 10 – 20 years is not uncommon, and makes sense when you think about how they are used. Many devices were created during the time that Windows XP was the newest OS available.
So, the discontinued support of XP will mean that XP medical devices will no longer receive security patches to protect them from viruses, spyware and other malware, and there will no longer be technical support available from Microsoft for these devices.
NOTE: Clarification in the following paragraph added on 4/3/2014. Rebecca will provide more information about the related compliance issues in her next post on her blog site. Rebecca thanks those of you who pointed out the poor wording in the original version (a result of too-quickly editing down the word length, and losing some important sentences with qualifiers as a result) that led to an overstatement of the compliance issue. Sorry for the resulting confusion in the original!
Medical devices will then be vulnerable to malware, hacking, and may also be non-compliant with HIPAA technical requirements to secure devices with PHI, based upon the associated risks and whether or not the entity has documented plans to upgrade appropriately, to mitigate those risks, to a supported OS. But even of more concern, medical devices running on no-longer-supported OS’s present real health risks to the patients.
This isn’t the first time this type of medical device OS situation has been experienced, though. There are still medical devices running on Windows 95 and Windows 98.
Rebecca Herold | The Privacy Professor | @PrivacyProf
To find out more about our panel members visit the biographies page.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.