Slashdot Mirror
Some Windows XP Users Can't Afford To Upgrade
colinneagle writes "During a recent trip to an eye doctor, I noticed that she was still using Windows XP. After I suggested that she might need to upgrade soon, she said she couldn't because she couldn't afford the $10,000 fee involved with the specialty medical software that has been upgraded for Windows 7. Software written for medical professionals is not like mass market software. They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken. With many expecting Microsoft's upcoming end-of-support for XP to cause a security nightmare of unsupported Windows devices in the wild, it seems a good time to ask how many users may fall into the category of wanting an upgrade, but being priced out by expensive but necessary third-party software. More importantly, can anything be done about it?"
VMWare.
They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken.
Kind of like college textbooks?
*ducks*
That helps with hardware incompatibility but not security.
Who cares if XP is unpatched?
Special dental application to track intervention history, show X-rays associated, etc should not communicate with the internet.
Same goes to timetables / reservations.
If they need machines connected for mobility : make an internal network.
I don't see such a problem here.
I bet a lot of that $10k fee is due to the software requiring FDA certification.
Your hair look like poop, Bob! - Wanker.
Yup. The easiest is to upgrade to windows 7 Pro or Ultimate and install XP Mode
Prevent those few computers that are running the program from touching the Internet in anyway. No networking services, web, email, ... or anything else. Make them strictly one function standalone devices.
A lot of "professional" users of computers (doctors, lawyers, bankers, etc) seem to think that they gotta have really special software to handle everything they do, because everything they do is so special. Much of this is due to people who think they're smart being duped by people who are smarter into thinking they need special software. Is the solution here that these professionals need to do a better job of buying their IT support in the first place? Admittedly, there is certainly some software that has to be written for very narrow and specialized needs, but a lot of these needs can be met by pretty much off-the-shelf solutions implemented by people who know what they're doing. I think these professionals start off by trying to do it themselves (because they are smart, you know?), find that it's not as easy as they thought, and then buy into the pitch that they need REALLY smart IT people doing specialized stuff for them. I'd laugh at all this, but it's part of why our health care costs so damn much.
True. However, there may be issues of vendor support. Some business apps are, and this includes specialist medical apps, mission critical, or at least sufficiently important that business may be compromised in the event of failure.
I know one hospital that recently upgraded their hardware. However, some of the middleware needed to make their various medical records applications work together, was only supported by the vendor on XP SP1. There were several problems:
1. The critical nature of this middleware, and the fact that the vendor would not support windows 7 (or even XP SP3) with their version of the software.
2. The complex interaction of this middleware with so many other apps meant that they could not run the middleware in VM as it would not connect to the other apps via OLE/COM or whatever non-networkable protocol it used.
3. The prohibitive cost of sourcing an updated version of what was effectively a custom built solution, and the fact that the original vendor had been bought-out by a new company who were desperate to kill the original product, but were tied into a 10 year support contract. So, although they were contracted to provide 10 years of support, they were only going to support the original config.
The result was that when the original hardware reached end-of-life and had to be updated late last year, the hospital had shiny new quad-core Xeons with 8 GB ECC RAM, and 15k RPM SAS RAID workstations with 2 GB Quadro cards running XP SP1.
PATA and floppy drives were already out of style when service packs were still being released for XP.
From a support perspective, XP just isn't that old. It's a recently discontinued product regardless of how long of a supported service life it had.
A Pirate and a Puritan look the same on a balance sheet.
The issue is that medical devices require certified tested/verified drivers to ensure accurate results.
Due to the changes between XP and 7, some instruments require updates software with the corresponding "certified" drivers.
I recently ran across this with pulmonary function testing software at our mine.
I work in a very large semiconductor fab that is full of dozens, probably hundreds, of DOS, Windows 2000, Windows 98, Windows ME, and Windows XP machines. They will never be upgraded or patched.
Is this stupid? Yes. Is there anything I can do about it? No.
I just got done negotiating the purchase of a 2-million-dollar piece of equipment that comes with Windows. We actually have a purchasing requirement that all software be provided with patches as necessary, including OS upgrades, and that all source code be held in escrow in case the company goes under. However, when we negotiate the purchase specs, those lines get crossed out, because the vendor refuses to comply and we have no leverage, so we buckle.
Personally I think that anyone who uses something like Windows (a desktop OS with known, SHORT service lifetime, suitable for desktop computing in non-critical applications) in an industrial tool with 10+ year lifetime, should be fired immediately, and this should have been the case from the very beginning, but I was not around back then, and it became acceptable. Nobody ever got fired for buying Microsoft, even when it's an idiotic thing to do.
Yes, something can be done about it. Not overnight, but it can be done.
What?
Use Open Source.
Your either need to pay 10.000 because it really costs 10.000 in which case you wouldn't be making a case out of it, you would just pay for it as part as your making business costs, or it doesn't costs 10.000 but you end paying 10.000 because third parties controlling your business instead of you.
If you think you are in the second case, just ally with other "eye doctors" and make a software factory to produce the software in your behalf as open sourced. On one hand, you'll pay the real cost; on the other, the old producers will be forced to either down their prices to the new market standard or fold down. Any case, a win-win situation.
My old hospital was hit by this already. They couldn't afford an enterprise license from Microsoft that allows them to pick which version of windows to install on their PC's, (hundreds of thousands of dollars), some of our critical EMR software was only XP compatibe and would not work on WIndows7. When Microsoft quit selling XP and wouldn't allow us to downgrade our Windows 7 systems, we were in a bind. We were able to find some XP licenses in the wild but still are between a rock and a hard place. FDA certification for our EMR vendors is a pain and moving to the new version of windows is hard. I have no idea how we will overcome the sunsetting of XP.
Sounds like someone has never had to use medical software. As much as the "zealots" would like to think, not everything is best run on OpenSource. It's not a troll, it's based on 15 years working with medical offices and doctors that don't have time to figure out how to get things to work. And yes, a lot of doctors offices don't have any support on staff or contract other than the EMR or EPM company they are dealing with.
My sig of choice is Marlboro
In the linked article, the doctor couldn't afford to upgrade her specialty medical software.
1. It's unlikely that the version she currently uses does not run on Win7
2. It's unlikely that the version she would upgrade to does not run on XP
3. It's likely that the upgrade would cost $10,000 even if she wasn't changing OS versions
So what does this have to do with Windows? Nothing. The only information in the article is that specialty software can be very expensive. That fact stands alone and would do so on any OS and any version.
Has Slashdot become this gullible??
This is a really bad example to make your case. She has HIPAA data and needs to upgrade as her computer can't be patched anymore next year. No sympathy for someone with HIPAA data trying to get out of patching their system.
Now, if you had picked an example of someone who didn't have HIPAA data I'd point to options that could be done. However to be frank I am all out of sympathy for anyone in this situation. Microsoft announced end of life on this a very long time ago and frankly gave a lot longer on the EOL and support for the OS than Mac or any of the Linux variants.
This reminds me of the gas station owners put out of business by the new standards for underground tanks. They had years of advanced notice, yet they still refused to modernize something critical to their business that they knew they needed to. Time came that they could no longer be grandfathered in and all of a sudden a bunch of stations went out of business.
Why, because they didn't want to spend money for tanks that were resistant to leaks that could ruin the environment? A doctor that doesn't want to spend money to help prevent leaks (patient data) is no better than the gas station owner. It's a business expense just like any other and a business owner that refuses to give IT it's due as they should. Quit supporting IT neglect by helping people like this out.
If you can do a fresh install, this would be a good opportunity to do so:
1. Install XP from scratch, with all the latest fixes and whatnot. Get it nice and pristine with no crap milling about beyond the barebones stuff. Get the licensing happy. :-)
2. SNAPSHOT
3. Get your custom software installed.
4. SNAPSHOT
5. BACK IT ALL UP.
6. Use gingerly
"Time flies like an arrow; fruit flies like a banana." --Groucho Marx
Just because a piece of software needs to run on an obsolete operating system, it doesn't mean that should be their main operating system. Stick it in a VM and don't attach it to the network unless necessary.
Bogtha Bogtha Bogtha
No need to upgrade to new software, it should run on Win7. There are multiple ways to configure compatibility.
FWIW, Win7 seems to be much more friedly to this than win8.
I've had two 16-bit programs (one used for point-of-sale another a game my mom likes to play) hobbling along since win95. WinXP worked okay (some compatibility flags made it work), Win7 was a bear to make work with the printer and the point-of-sale program, and finally win8 broke both of them. No application error message, just win8 says, you can't run them anymore (the troubleshooter recommends using winxp mode sp3, but that doesn't work, nor do any of the other modes from win95, 98, me, XP-sp2, Vista, or win7, w/ or w/o administrator priviledges, or in reduced color mode). The orginal publisher of both pieces of software are no longer in business, so purchasing upgrades to the new OS is a non-starter.
I've had to downgrade two new computers back to win7 and winxp (didn't have more than one spare win7 licence, so I had to reach back to xp) to support these programs for now, but now the writing is on the wall. I'm sure that my case is not unique and given my predicament, I'm sure that there are some applications that just won't run on win7 either even in compatibility mode.
How well does this interact with hardware?
We tried using a virtual machine to run National Instrument's LabView. It did not get along well with the NI Elvis breadboard systems we are using. Using it on native Win7 machines didn't work either.
XP mode is a VM based technology, though admittedly not the same as we used. Does it communicate better with external hardware than VMware?
I don't know the nature of the software she was using, but some I have seen in optomitrists' offices *does* run hardware. If that's the case, XP mode and other virtual machines might not be good a solution.
Ignorance killed the cat. Curiosity was framed.
You know what, I was thinking the same. It's good I browse through comments before rushing to the "reply" button.
Also, dental business is lucrative business, if you're a good doctor you can make 10K profit in a month. My uncle (retired dentist) used to make 12-14K EUR monthly profit in Germany on average. Granted, he worked his ass off in 12 hour shifts at his own clinic, but customers kept pouring in.
The real reason is "I can't be arsed to do it" or "the new version of the software is not backwards compatible" which is not that far fetched.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
No need to upgrade to new software, it should run on Win7. There are multiple ways to configure compatibility.
"Should" is most certainly not "will". There's a piece of somewhat exotic medical hardware I have the misfortune of knowing which has drivers which only work on XP - mostly because it uses an extremely cheap and badly designed anti-piracy dongle. And no, it does not run on Windows 7 with compatibility mode, and no, it does not run in Virtual PC either. Because dongle.
(Because when a piece of hardware costs $10,000 and up, and the software which connects to it is utterly useless without that expensive hardware - because it's basically just a dial showing a readout - of course a practical use of programer time is to add an extra pointless $1 anti-piracy hardware component to stop the millions of free copies which will soon flood the intertubes. Sigh.)
Anyway, tldr, yes, this is a huge problem in medical (or any special-purpose, critical-path) software. It's written by a hybrid of Ebenezer Scrooge and Bizarro Iron Man. Exorbitantly expensive, cheaply written, full of edge cases and bugs, hugely dependent on the manufacturer's support whims, will only run or be supported on extremely vanilla OS, and built without any concept of security or ability to work with a patching plan.
And then there's actual "security" software, that runs cameras and such, and if anything that's worse.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
You made your bed, now lie in it.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
The problem is customers. I work at a major hospital and a local consortium is looking to purchase some new medical records software, worth about $10 million.
We've been drafting the new contract for tender, and line 1 of the tender instructions is "The software will run on Windows Server 2008 R2 or Windows Server 2012 64-bit on the servers, and on Windows XP, 7 and 8 32-bit and 64-bit on the client side". I protested at this, but was told by the technical chair, that this term was not negotiable as it was a critical part of the spec; they simply did not have the in-house experience to manage a *nix system.
Later on, there was another line in the tender instructions. "The distribution of the source code of the product must be strictly controlled with appropriate audit trails for persons who have seen it, includes the source code of any 3rd party components used within the product". Again, I protested about this, but the chair of information governance and security said, that this term was non-negotiable due to the large volume and the critical nature of the data stored in this system!!
Take an image of the workstation running XP, convert it to a virtual machine. Take your new Windows 7 Machine, load up VMWare.. and tada.. you're running in a more secure, easy to manage virtual XP environment which you can keep protected and unchanged for years to come.
Might work if there's no hardware involved. If there is... I'd give 50-50 odds that even under VMware it will still fail.
These people don't write these things to standards. That's the whole problem. If they did it'd already just work under Windows 7 and wouldn't need virtualising.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
If you think you are in the second case, just ally with other "eye doctors" and make a software factory to produce the software in your behalf as open sourced. On one hand, you'll pay the real cost; on the other, the old producers will be forced to either down their prices to the new market standard or fold down. Any case, a win-win situation.
This is what I was thinking as well; just get together with peers in a similar situation, and 'Kickstart' an OSS version of the program, thus forever freeing yourselves from the shackles of proprietary software.
Plus, if you do it right and the software is good stuff, you might even be able make a few extra bucks on the side selling an enterprise version or support.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
And if the software fails or does nasty things to your medical data... who are you going to sue? Have you even looked at F/OSS EULAs? I have seen a few EULAs for Windows-based medical software and upon buying the software, there's actually some (not perfect but some) accountability from the vendor. You can sue them if they mess up.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
That's an awesome way to run a business.
If your business is sticking forks in your eyes.
She have already too much problems with money and want that have problems with alcohol now?
But the best solution would be going that road if the apps runs under wine, or there are already open source programs (EyePACS?) that do most if not all of what she needs.
maybe the medical profession would be better off pushing for linux drivers... at least with a smaller profit motive there is some semblance of stability
It is not easy to segregate networks like this. Remember that the receptionist might need the reservations app, and will probably need Internet access as well. So you're looking at two separate computers on his or her desk. Same with some of the accounting people - they still need to pull documents from the web.
The military already does this. It's common to have three different computers with different security levels on one desk, all of them air gapped from each other. But you're looking at three switches, three sets of cables to run, and so on. It's a lot of work even for an organization the size of the US Army, so it would not be feasible for a small practice.
Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.
XP mode has the same vulnerabilities as XP. Its support will stop when the XP support stops.
The problem is not XP. The problem is speciality software vendors charging ten grand for a software update.
This kind of stuff is why it costs the rest of us $2120.14 to have a hangnail treated at our MD.
-- Slashdot: When Public Access TV Says "No"
Very often I noticed that the industry software some small businesses use could be replaced with more standard solutions. I recently had to deal with a stonemason and his software. These days they plot stencils and sandblast the letters. I didn’t like the few fonts he offered for tombstones and there was no way to make a file for him he could import. As it turned out he would have had to buy an additional (very expensive) module for the program he uses to import other fonts or any vector graphic format at all. During my research I discovered that his “special stone mason software” was more or less a repackaged plotter software which would be more powerful and cheaper if bought directly from the source.
XP mode runs over Virtual PC, which is not exactly a well polished and bug free virtual machine implementation. It has quite a collection of issues.
They announced their end of life date on the day of release. MS sets EOL 10 years from day of release on their OSes. Now, in the case of XP, it was extended. They do that sometimes. However 10 years is the norm, it is what you can count on, so it is what you plan for. Like with Windows 8 we already know the end of support date: 10/1/2023. It is always possible that will get extended, but it very well may not. So if you put an 8 system in place now, you know when you need to start thinking upgrade (at the latest).
MS is real, real, good with the support lifecycle thing. They have a standard policy, and current information is always available on their site. So planning for when upgrades need to happen is not hard.
The XP drop dead date has been a long time in coming, and is still over a year out. There has been, and still is, plenty of time to deal with it.
From what I've seen, professionals are generally super-penny pinchers. Something to do with the fact that they've went through university and all that extra training and therefore are smarter that the general population and thus know better, or something.
I had to have some surgery done, and the consults with the surgeons were done in offices that really showed their age - being run down and everything. The computers they used were basically the best buy special of the week - the generally cheapass ones.
Likewise, if you go to see an attorney, they may have the nicest offices, but have IT equipment from the dark ages - again, the best buy special computers on the desk, some old PC serving as the "file server" and the like. And the IT guy is probably harried and underpaid, looking around for the next opportunity.
IN essence, the computer is just a tool in their toolbelt. If it works, they won't bother with maintenance. Upgrading is a possibility, but it's a tool. What they have now works, and unless they're shown a compelling reason to upgrade they won't spend a dime on it. They probably don't care that XP won't be supported anymore - if it works now, it's not worth spending money on it.
You can yell and scream and shout, but all they hear is "money money money flowing out". And yes, that $10,000 they save by not upgrading means it's $10,000 that can be spent elsewhere buying something else or doing something related to their line of business. Even if something needs upgrading (e.g., the old crufty 7-year old desktop repurposed as a server is dying every 5 minutes rather than needing a reboot hourly), they'll just find something else to replace it with - perhaps another old crufty desktop that was the receiptionist's PC from when they started years ago.
And yes, they're very receptive of open-source, because all they hear is free! free! free! (beer).
Sticking forks in others' eyes is a great way to get return customers in the eye care industry!
no, that won't pass a HIPAA audit, a virtual machine running an obsolete OS is non-compliant, regardless of whether the hosting OS is compliant. this is also true in the realm of finance with PCI audits.
XP is 12 years old. It'll be 13 when it's EOL'd.
...why are you measuring from when it was first sold, not when it was last bought. The XP lifecycle is a little strange as it was so awful it needed a major (and pretty good) service pack 2. Even when Vista was released many machines (famously those on i915) ran badly...or not at all; many machines still came without Vista. In fact a whole range of machines (nettops and netbooks) still came with XP until Microsoft killed it with and the whole net* products with Windows starter (and crippled intel hardware), fortunately those come with Android, iOS and Chrome now. The minimum lifespan of a proprietary OS should *safely* be 7 years from "end of sale" otherwise its going to create a nightmare. In cotext of this article Net Applications still has 40% of users running XP.
XP is as old as Linux 2.4, which for the record was EOL'd 2 years ago. When's the last time you worked with a non-embedded copy of 2.4 that was expected to act as a normal citizen on the internet?
If you own a house, you get familiar with that kind of thing. I had to replace my A/C a couple years ago. Ran me about $7000 for a nice efficient one. Well guess what? That won't be the last time I have to replace it. So it is something I'm budgeting for. Not now, not next year, but in the future (I'm targeting 15-20 years out of this unit) I'll need to get a new one. So I'm making sure, to the best of my ability, that I'll have the money lined up. Same for other appliances, vehicle, and so on.
This is just life. Unless you rent everything, you will be replacing things and the more you own, like a house or, say, your own business, the more big ticket stuff that will involve. That means you have to plan as to the lifecycle and be ready for the expense.
Now for Windows OS related things that's pretty easy since Microsoft announces their lifecycle on OS release. So say you bought a product today that ran on Windows 7. It won't work on 8, and thus presumably later versions, and is not likely to be updated. Ok, that means that before January 14, 2020, you need to switch to something new. You have a little less than 7 years. So budget accordingly. If you software runs you $10k, then you need to save up around $1500/year (or $125/month if you like) to be ready for it.
If you can't deal with that, well life in general will cause you some headaches and you probably shouldn't be running your own business. Planning finances is a big part of it, you do have to think long term and you have to deal with some expensive shit.
More details:
- Use a secured host. Either Linux or Windows 7 (depends if Firefox + openoffice.org would be enough or not) but either has to be up-to-date.
- Run as much as possible software outside the VM using modern up-to-date software (if a browser is required, see if firefox running outside the VM does the job, or if you're stuck with IE 7).
- Isolate as much as possible the guest. (Guest shouldn't have ANY outside access at all, guest should only have a limited access to the host, host should be heavily firewalled against guest).
- If the medical software requires web access: provide it by having a secure web proxy running on the host.
(ev. use a virus-scanning plugin on the proxy).
- Think of ways to scan the content of the virtual disk from outside the VM.
(For example, have an actual LVM logical volume used as virtual disk. Snapshot it, mount the snapshot read-only on the hose and scan it, while the guest is still running).
- Think to make it easy to use: The best would be to run the VM in a mode where the guest's windows are displayed as normal windows on the host, and the guest desktop is hidden. Thus the user doesn't have to think about a "windows XP inside a window".
It's not perfect. But it's a quite sophisticated configuration to avoid putting the computer at risk, just because XP isn't upgraded anymore.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
TFA was fine, until the writer threw this in:
And you have to remember that medical professionals are already reeling from a huge medical equipment tax courtesy of ObamaCare. One physical therapist told me of 14 medical centers that shut down because they couldn't handle the tax. And that's in Orange County. This area isn't exactly poor.
I call BS. That huge tax is 2.3%. The "14 medical centers" is an offhand rumor that doesn't pass the sniff test. In related news, a number of medical device manufacturers are blaming the device tax for their decisions to move existing and/or new plants overseas.... a tax that falls on all devices, regardless of where they're made. If Mr. Patrizio (or his Network World editor) don't like the PPACA, they can go to town. But, some research would have been nice.
Luke, help me take this mask off
It's kind of the opposite problem, but I encountered governmental agencies- for a large American city to remain nameless- who, today, continue to produce Web applications that require Internet Explorer 6 on Windows XP or earlier. When we encountered problems accessing them on 64 bit Windows 7 w/IE 9 (Compatibility Mode turned out to be the workaround), I called the head of the department in question to tell her that, well, most new machines today would be running 64 bit Windows 7 + IE 9 (or better), so it might help them to write code that didn't require IE 6.
She asked me to call her (apparently so that she could tell me something off the record) and told me that, for her department, a "new computer" was anything about 5 years old. Apparently, 5 years back, they got a bunch of Windows XP computers w/MS development tools, and that's where they still are today. Budget issues won't allow them to upgrade, so they're stuck writing code that would have been mediocre 5 years back, and is utterly horrid now. Wouldn't surprise me at all to see many governmental entities in the same boat.
-Z
Do any of you think it would be feasible to start a company that makes FOSS medical software for doctors' offices? I imagine that what an office needs isn't very different from office to office. The company would earn its money long-term providing support for the software. It would also need to be compliant with HIPAA and all other regulations.
The sibling post made the point about finding replacement parts for when things die. That was always my motivation for a complete system upgrade - something dieing and needing to be replaced without me digging deep enough to find something that would work with the old system.
Buy new machine running Win7/8, install free vmware/virtualbox, run specialist software in VM fullscreen. Done
Some industrial stuff is still on ISA cards.
It's just that to go to new stuff needs lot's of change to work.
Windows had its time and place and it has now passed. Now the medical community ought to embrace GNU opensource and use this Windows experience as a lesson. Proprietary systems are not there for public benefit.
"SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
Why doesn't XP mode work? XP mode is just a virtual machine running Windows XP. Maybe Microsoft left something out is all I can think of.
Because support for XP mode will end next year, too.
Most of these systems are single purpose and fit in more as an embedded system than anything else.
So, what is the attack vector? Most of the XP exploits in recent memory are related to peoples browsing habits and pieces of the OS used by the browsers being susceptible.
So, the fact that people aren't surfing the web probably removes 99% of the threat, leaving the remaining possibilities of a worm on the internal network exploiting an open system service (network share etc) that could be blocked or disabled.
If an exploit is found in a direct system service like that I'm betting MS rolls out a security patch anyway. Probably, just to avoid the liability issues (same way you get recall notices on 20 year old cars if the problem is severe enough and considered a manufacturing defect).
Its only once the installed base drops below 5% or so would I guess that MS really stops supporting it for critical problems. Once that happens its not going to be a target for new exploits anyway.
I'm just wondering how long it takes before they stop doing activations. I have a copy of XP that has never been activated, I'm keeping around just to see what happens. I suspect they release a no authorization patch at some point but right now if they did it I'm sure XP installs would take off again.