Some Windows XP Users Can't Afford To Upgrade

colinneagle writes "During a recent trip to an eye doctor, I noticed that she was still using Windows XP. After I suggested that she might need to upgrade soon, she said she couldn't because she couldn't afford the $10,000 fee involved with the specialty medical software that has been upgraded for Windows 7. Software written for medical professionals is not like mass market software. They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken. With many expecting Microsoft's upcoming end-of-support for XP to cause a security nightmare of unsupported Windows devices in the wild, it seems a good time to ask how many users may fall into the category of wanting an upgrade, but being priced out by expensive but necessary third-party software. More importantly, can anything be done about it?"

Very common

My old hospital was hit by this already. They couldn't afford an enterprise license from Microsoft that allows them to pick which version of windows to install on their PC's, (hundreds of thousands of dollars), some of our critical EMR software was only XP compatibe and would not work on WIndows7. When Microsoft quit selling XP and wouldn't allow us to downgrade our Windows 7 systems, we were in a bind. We were able to find some XP licenses in the wild but still are between a rock and a hard place. FDA certification for our EMR vendors is a pain and moving to the new version of windows is hard. I have no idea how we will overcome the sunsetting of XP.
 

Re:I'm gonna say...

[HideyoshiJP]

This is potentially the case, but I've also seen numerous products in the medical field that won't run on Windows 7 because of poor decisions made during development. As an example, there is a piece of software (that's nearly up to date) that requires a specific version of Microsoft Forms Controls 2.0 (fm20.dll) and will encounter a memory error even on an up to date Windows XP example. Their tech support actually instructs you to replace the library in the Windows directory. Luckily, we're not complete tools and simply used redirection to an older copy in the executable's directory. Luckily, this is one case where we were able to find a workaround. There are so many poorly coded or managed pieces of software in the medical field it's difficult to stay up to date and not go broke. I've seen products developed by some amateur in VB without thought to which control he/she should be using (Hey! Forms 1.0, .net and an IE frame with an embedded apache page all in the same application form - why not!?). I've also seen those with MSI installers improperly coded that will fail to install on a 64-bit OS, requiring repackaging or extensive modification. Then there's the products managers purchased that rely on MS Office macros (my favorite!). These things are far more common than they should be, especially when Microsoft has entire documentation libraries and communities that can help developers/product managers adhere to best practices, even in advance of new product releases.

Re:Certification

[geoskd]

You can probably count on one hand all the directly life critical software running as a regular app on XP, in the whole world.

It's very unlikely there's anything at the eye doctor's office that falls in that category. This is a case of simple vendor lock-in. That's all.

The problem is that the software takes significant time to write. Lets say it takes a team of three programmers 1 year to write. Now, say that its a blockbuster, and 1/3 of all opticians use it. You're only talking about a couple thousand copies total. Maybe a thousand copies a year. Now, you also have to have someone do tech support and maintenance. So, You paid $300,000 to develop the software, and are paying $100,000 per year in maintenance. to sell 1000 copies per year. (Thats a very high estimate btw). So, at break even, with no other company overhead, your product costs $400. Now if you take a more realistic view that most opticians already have the software they need, your annual sales expectation is probably more like 100 units, not 1000, and now you're looking at a $4000 price tag.

Before you start talking open source, blah blah, lets not forget that this is a highly specialized application with very little general appeal, and no geek factor. The best you could hope for would be a project that somewhat resembles what you want and pay (by the hour I might add) to have someone adapt it to your needs. This quickly adds up too.

All that having been said, the solution is actually simpler than it sounds. Good XP emulation is not that hard to find. WINE already does a pretty good job of it, and is unlikely to be end-of-lifed any time soon. It is likely that the best alternative for these boutique operations is to switch to Ubuntu or Debian with WINE, and be reasonably certain that they can survive the next hardware upgrade. It wont be cheap, but it will be better than $10k for a new copy of xyz opticiansoft, and it will be M$ proof.

Re:Unplug the computer from the WWW

[Lothsahn]

As a small business consultant who has run into this problem a number of times, as you said, airgapping doesn't always work. However, I have one customer who is security conscious and would rather alter his way of doing business than expose customer data and infrastructure to viruses.

Two separate networks run on two separate switches (yes, VLAN's could have been used, but the switches didn't support them). Each port in the building can be configured to the internal or external network. Wireless is only available on the external network.

To this end:
1) The ultrasound computer is airgapped because it's running Windows XP. Specifically, the software for the US machine is very old and only runs on XP, and upgrading would be a $10,000+ purchase (new US machine, not just the software cost).

2) The records keeping and accounting is separate from the internet. Customer records are only available on the internal network, and not connected directly to the internet. These computers are thin clients with USB mass storage support disabled.

3) The internet computer is a disposable kiosk computer, which has no access to customer records. If someone wants to look something up (ie. rare disease), that computer is available for that. It's also accessible for emails.

This has worked remarkably well. In the (extremely rare) event that an US picture needs to be emailed, the US computer is briefly connected to the internet behind a NAT firewall. We've had zero viruses or known intrusions on the internal network in 10 years.

The doctors at this office are accustomed to the inconveniences that this brings, but they work around those issues. They did business for over 30 years with paper records, and they see no need to switch. The idea that some sensitive data gets leaked or hacked is more important than the minor efficiency gains they could achieve. However, this is a rare case. Most of my customers demand all their computers be internet-connected.

Re:Helps but not a complete solution.

[Architect_sasyr]

Yeah, best case we've deployed is a Citrix XenApp farm coupled with local computer access. Xen servers control medical software, local desktops are pretty free for email and porn (a surprising amount of porn for medics who are idle). We can control the Xen computers easily enough this way, local computers are wiped if they have a problem via our "perfect world" deployment policy*. It's nice, compromises are minimalistic at best and we segregate the desktops from the servers pretty solidly (with the file/print servers in the middle - "dual homed").

Doctors can do what they want, netops are happy with what they get to lock down, and we even pass a lot of the DSD compliance ratings (not that we're audited, but it's a good benchmark).

*Can't solve your problem in 10 minutes, a further 5 minutes to blow the machine back to standard image. 5 more to reconfigure default accounts and such (which is automated, but we also need to wait for download/ sync of emails etc.). 20 minutes downtime from start of call to end, maximum.