Compliance Issues Raised by the End of Life for Windows XP Software
It’s the end of the road for Windows XP. The very popular and widely used Microsoft operating system will have officially reached its “end of life” for organizations in the United States. As of April 8, 2014, Microsoft will no longer provide any free or paid support assistance. Users will no longer receive patches, hotfixes, or security updates from Microsoft. Consequently, XP will become a prime target for hackers eager to exploit weaknesses in the system and penetrate vulnerable networks utilizing it.
When any IT or technical product reaches its end of life, in most cases, all support is halted. This leaves the software or hardware vulnerable to future exploitation or attack. Reported errors, compatibility issues and feature requests are no longer addressed with upgrades or patches. While an end of life operating system, software package or machine may still function, if it is on your network, it becomes a target for hackers seeking backdoor access and this creates a huge risk to the security, integrity and availability of your confidential business and patient information.
HIPAA, HITECH and the PCI DSS have addressed the issues of end of life technology:
Requirement 6.1 of the PCI Security Standards requires users to “ensure that all system components and software have the latest vendor-supplied security patches installed” and to “deploy critical patches within a month of release.”
HIPAA Security rule 164.308(a)(1)(ii)B) requires regulated organizations to “implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).”
It is certain that an end of life operating system or otherwise network-accessible end of life software (such as server platform software, outdated email clients, etc.) will render your network vulnerable to a security incident or breach and out of compliance with HIPAA and PCI DSS.
In the case of Microsoft XP, in order to help organizations complete their migrations, Microsoft will continue to provide updates for their antimalware signature and engine for Windows XP through July 2015. However, this scaled back, temporary support does not address OS security holes or other non-malware related vulnerabilities.
Legacy hardware, medical equipment or legacy OS dependent software can make it more difficult and time consuming to upgrade a machine or network of machines. Some medical equipment or devices reliant upon end of life operating systems may be too costly to replace with newer equipment. Keep in mind that having an XP machine or any other end of life technology does not automatically render you out of compliance with HIPAA or PCI DSS, but if you do nothing- it could.
There are options. Legacy dependent devices or software could be configured to run within a Virtual Desktop Infrastructure (VDI) or a sandbox environment. Using firewalls and proxy restrictions to isolate XP machines from your network or the Internet in combination with application whitelisting may be a practical option for you to mitigate serious risks. Vendors may have software or firmware upgrades that could allow your equipment or software to function on a newer operating system. The most important factor to consider is risk. When any major change occurs within your network, such as an OS end of life, it should always trigger a full Risk Assessment. A timely assessment will arm you with the information you need to take the next step in maintaining the confidentiality, integrity and availability of your network.
If you are unable to upgrade your operating system or software before it reaches end of life, be sure to specify in your risk assessment documentation:
- the reasons you are unable to upgrade at this time,
- your plan and targeted date for completing an upgrade, and
- the steps you are currently taking to mitigate any risks.
If you would like to learn more about how end of life software could be affecting your network or if you believe you may need a Risk Analysis/Assessment to determine the risk end of life software may pose to your network, contact us today.