Healthcare lags behind in keeping operating systems up to date

464404711While most industries have been able to migrate to newer operating systems, healthcare has been a laggard. With another Microsoft Windows XP Extended Support renewal on the horizon, the prospect of paying another $250,000 for another year is inevitable. Most organizations believe that as long as receive patch support they can maintain HIPAA compliance. Patch support for XP is dwindling. Just getting occasional patches doesn’t mean you are secure.

For an organization of 10,000+ nodes, migrations need to start now in order to avoid paying in 2016. Most consider Windows 7 the target upgrade due to its stability. However, Windows 10 is set to release this summer. Upgrading to an operating system, four revisions behind, may not be the best decision.

There are several reasons healthcare has resisted change. The three most prominent reasons being the risk of violating HIPPA compliance by unencrypting data to migrate, losing productivity in a high stakes environment, and performing a migration for so many machines.

Encryption

It is essential that healthcare providers encrypt devices in order to maintain HIPPA compliance. Unfortunately, the process of migrating encrypted devices can be very complex. Healthcare providers do not want unencrypted devices left unattended. They also do not want unencrypted devices attended by non-medical staff. This presents a problem when you have thousands, or even tens of thousands, of devices to migrate. With focused cyber-attacks against the medical industry, healthcare providers need to be extremely cautious in migrating.

“Since the start of 2014, we have seen a 600% increase in attacks targeting health care data in the US because it is so valuable for enabling identity theft.”– Carl Leonard, Head of Websense Security Labs http://www.computerweekly.com/news/2240234690/Big-Brother-Watch-calls-for-better-NHS-data-security-in-light-of-losses

Productivity

Productivity is important to patients and healthcare providers. Computers are involved throughout the exam and treatment process.  Systems need to provide accurate and timely results. IT departments do not want to negatively impact patient care. A nurse or technician not being able to provide patient care because of a device upgrade is unacceptable. For organizations with thousands of machines, upgrading Windows XP in a realistic timeframe may require 100 or more device upgrades per day. The thought of more than 100 workers not being able to treat patients is catastrophic.

There are many reasons why an upgraded device may impact or halt productivity. Most machines perform a variety of roles including: data entry, data visualization, printing and controlling medical devices. If the application or driver software is not installed correctly, the healthcare worker may be hindered or prevented from performing their job.

Throughput

For large organizations, migrating 20 devices a night will not get the job done. Realistically large organizations need to target 500-1,000 devices migrations per week. That’s a hefty number. From a technical perspective, performing 100-200 migrations per night is not difficult for customers using LANDESK. Healthcare organizations tend to be highly distributed, for which there are methods available for migrating devices at remote sites with limited bandwidth. The real throughput challenge, however, lies in teeing up that many devices.

Here are five quick suggestions for getting ready for a migration:

  1. Getting each department prepared and in agreement takes project management and a little higher authority.
  2. Anyone providing critical patient care has a trump card so their fears need to be heard and answered with facts.
  3. Data analytics are essential in understanding each software title so that testing is accurate as to how they perform under the new operating system.
  4. Contingency plans must be in place and getting everyone on board is preferred.
  5. A detailed communication plan with executive sponsorship is key with communications starting early, even months beforehand.

Conclusion

If you have not migrated—now is the time to start. Even Windows XP Extended support will come to an end. An operating system that is no longer maintained, especially from a security standpoint, is not HIPAA compliant. Patient data is highly sought after by bad people. The expense of security breaches go way beyond fines. Windows XP needs to be replaced using a tried and true migration processes.

LANDESK has migrated many large organizations facing the issues described in this article. Whether you are in health care, financial services or government, our solution solve more than the Windows XP problem. Once in place, our provisioning process work for existing devices with legacy operating systems as well as new devices being brought into your environment.