Some Windows XP Users Can't Afford To Upgrade

colinneagle writes "During a recent trip to an eye doctor, I noticed that she was still using Windows XP. After I suggested that she might need to upgrade soon, she said she couldn't because she couldn't afford the $10,000 fee involved with the specialty medical software that has been upgraded for Windows 7. Software written for medical professionals is not like mass market software. They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken. With many expecting Microsoft's upcoming end-of-support for XP to cause a security nightmare of unsupported Windows devices in the wild, it seems a good time to ask how many users may fall into the category of wanting an upgrade, but being priced out by expensive but necessary third-party software. More importantly, can anything be done about it?"

I'm gonna say...

VMWare.

Re:I'm gonna say...

[HideyoshiJP]

This is potentially the case, but I've also seen numerous products in the medical field that won't run on Windows 7 because of poor decisions made during development. As an example, there is a piece of software (that's nearly up to date) that requires a specific version of Microsoft Forms Controls 2.0 (fm20.dll) and will encounter a memory error even on an up to date Windows XP example. Their tech support actually instructs you to replace the library in the Windows directory. Luckily, we're not complete tools and simply used redirection to an older copy in the executable's directory. Luckily, this is one case where we were able to find a workaround. There are so many poorly coded or managed pieces of software in the medical field it's difficult to stay up to date and not go broke. I've seen products developed by some amateur in VB without thought to which control he/she should be using (Hey! Forms 1.0, .net and an IE frame with an embedded apache page all in the same application form - why not!?). I've also seen those with MSI installers improperly coded that will fail to install on a 64-bit OS, requiring repackaging or extensive modification. Then there's the products managers purchased that rely on MS Office macros (my favorite!). These things are far more common than they should be, especially when Microsoft has entire documentation libraries and communities that can help developers/product managers adhere to best practices, even in advance of new product releases.

specialty software prices

They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken.

Kind of like college textbooks?

*ducks*

Re:specialty software prices

[Scared+Rabbit]

That may be the case in some fields, but in most cases I haven't seen materials available online that compare to the texts that I use as a student in advanced mathematics.

Re:specialty software prices

[Scared+Rabbit]

When I've looked I've come across a complete lack of material for most topics beyond say third semester calculus and second semester differential equations that one can read to actually learn a subject. While there are certainly some example problems out there, a cohesive narration of how to go about solving more advanced problems especially with a consistent notation seems to be lacking. Sure there's resources like Pauls Online Math Notes, but that drops off before then. Wikipedia has some formulas and descriptions, but often doesn't have example problems. For many topics, you can find small pieces of information all over the web, but if you want to actually read up on a specific subject I haven't seen anything on the internet that rivals a good old fashioned text book.

Now, I don't see any reason for there to be new editions as often as there are. Many of the textbooks I read in my spare time are actually pretty old, but outside of some of the topics that rely on technology there isn't a whole lot of reason to have new editions. Even something such as numerical analysis (which should probably have a technology based theme for CAS) doesn't really need to be updated very often as the algorithms don't change, just the languages that may be used.

Perhaps I'm just biased, but a well written text book seems much more useful than gleaning bits of information from a variety of sources that all use different notations and symbols for learning about a topic in math.

Helps but not a complete solution.

[HaeMaker]

That helps with hardware incompatibility but not security.

Re:Helps but not a complete solution.

Run it through a WHAT? Why am I running XP inside of a window? Oh no, I just deleted it. Did you break my computer? I don't care if you think you're smarter than me. I just need things to work. I have a lot of patients to see.

Re:Helps but not a complete solution.

[Hylandr]

This. Pretty much sums it up. We can engineer all sorts of solutions but in the end they will be calling you to run it for them.

Don't let them try an barter services for it either, they will *own* you.

Re:Helps but not a complete solution.

[Holi]

Medicare billing. I have done several medical software installations, they all have a strong need for internet access for electronic transfer of medicare records.

Re:Helps but not a complete solution.

[scumdamn]

We have Medisoft running in Windows XP Mode under Windows 7 right now. It works like a champ. It's only compatible with XP so we waited a long time to upgrade but we finally did it with a virtual machine and Windows 7.

Re:Helps but not a complete solution.

[Architect_sasyr]

Yeah, best case we've deployed is a Citrix XenApp farm coupled with local computer access. Xen servers control medical software, local desktops are pretty free for email and porn (a surprising amount of porn for medics who are idle). We can control the Xen computers easily enough this way, local computers are wiped if they have a problem via our "perfect world" deployment policy*. It's nice, compromises are minimalistic at best and we segregate the desktops from the servers pretty solidly (with the file/print servers in the middle - "dual homed").

Doctors can do what they want, netops are happy with what they get to lock down, and we even pass a lot of the DSD compliance ratings (not that we're audited, but it's a good benchmark).

*Can't solve your problem in 10 minutes, a further 5 minutes to blow the machine back to standard image. 5 more to reconfigure default accounts and such (which is automated, but we also need to wait for download/ sync of emails etc.). 20 minutes downtime from start of call to end, maximum.

Re:Should run on Win7

[adonoman]

Yup. The easiest is to upgrade to windows 7 Pro or Ultimate and install XP Mode

Re:Certification

[Nadaka]

Yea, its not like medical software errors ever killed anybody. Eh Therac-25?

Re:Should run on Win7

The issue is that medical devices require certified tested/verified drivers to ensure accurate results.
Due to the changes between XP and 7, some instruments require updates software with the corresponding "certified" drivers.

I recently ran across this with pulmonary function testing software at our mine.

Very common

My old hospital was hit by this already. They couldn't afford an enterprise license from Microsoft that allows them to pick which version of windows to install on their PC's, (hundreds of thousands of dollars), some of our critical EMR software was only XP compatibe and would not work on WIndows7. When Microsoft quit selling XP and wouldn't allow us to downgrade our Windows 7 systems, we were in a bind. We were able to find some XP licenses in the wild but still are between a rock and a hard place. FDA certification for our EMR vendors is a pain and moving to the new version of windows is hard. I have no idea how we will overcome the sunsetting of XP.
 

Re:Wrong platform

[PhreakinPenguin]

Sounds like someone has never had to use medical software. As much as the "zealots" would like to think, not everything is best run on OpenSource. It's not a troll, it's based on 15 years working with medical offices and doctors that don't have time to figure out how to get things to work. And yes, a lot of doctors offices don't have any support on staff or contract other than the EMR or EPM company they are dealing with.

Bad example

[onyxruby]

This is a really bad example to make your case. She has HIPAA data and needs to upgrade as her computer can't be patched anymore next year. No sympathy for someone with HIPAA data trying to get out of patching their system.

Now, if you had picked an example of someone who didn't have HIPAA data I'd point to options that could be done. However to be frank I am all out of sympathy for anyone in this situation. Microsoft announced end of life on this a very long time ago and frankly gave a lot longer on the EOL and support for the OS than Mac or any of the Linux variants.

This reminds me of the gas station owners put out of business by the new standards for underground tanks. They had years of advanced notice, yet they still refused to modernize something critical to their business that they knew they needed to. Time came that they could no longer be grandfathered in and all of a sudden a bunch of stations went out of business.

Why, because they didn't want to spend money for tanks that were resistant to leaks that could ruin the environment? A doctor that doesn't want to spend money to help prevent leaks (patient data) is no better than the gas station owner. It's a business expense just like any other and a business owner that refuses to give IT it's due as they should. Quit supporting IT neglect by helping people like this out.

Re:Bad example

They have had years to budget for this in advance. I don't think budgeting $1000/year for 10 years for an eventual software update is out of the question for a doctor's office, or any other business. Create your budget as far in advance as possible and when you need the money it will be there.

Re:Specialty Software

A lot of "professional" users of computers (doctors, lawyers, bankers, etc) seem to think that they gotta have really special software to handle everything they do, because everything they do is so special. Much of this is due to people who think they're smart being duped by people who are smarter into thinking they need special software. Is the solution here that these professionals need to do a better job of buying their IT support in the first place? Admittedly, there is certainly some software that has to be written for very narrow and specialized needs, but a lot of these needs can be met by pretty much off-the-shelf solutions implemented by people who know what they're doing. I think these professionals start off by trying to do it themselves (because they are smart, you know?), find that it's not as easy as they thought, and then buy into the pitch that they need REALLY smart IT people doing specialized stuff for them. I'd laugh at all this, but it's part of why our health care costs so damn much.

Well I can certainly tell that you're not a physician, as a physician I can tell you that you have no idea how many limitations, restrictions, and compliance requirements exist in medical software. The issue isn't that you need these things, sure you could host your patient information on Google docs, but when someone breaks into that it can cost you 250K per patient that is lost, there isn't an upper limit on that either, I don't see that many doctors with that kind of cash willing to take those risks. I am not saying it is better to be running on unsupported systems, but it isn't like you can go download some mysql database and front-end designed to organize your DVD collection and safely store patient information. Also most doctors don't have the time or knowledge to do it well themselves so they are stuck with what is 1) out there, and 2) compliant.

Re:Should run on Win7

[lennier]

No need to upgrade to new software, it should run on Win7. There are multiple ways to configure compatibility.

"Should" is most certainly not "will". There's a piece of somewhat exotic medical hardware I have the misfortune of knowing which has drivers which only work on XP - mostly because it uses an extremely cheap and badly designed anti-piracy dongle. And no, it does not run on Windows 7 with compatibility mode, and no, it does not run in Virtual PC either. Because dongle.

(Because when a piece of hardware costs $10,000 and up, and the software which connects to it is utterly useless without that expensive hardware - because it's basically just a dial showing a readout - of course a practical use of programer time is to add an extra pointless $1 anti-piracy hardware component to stop the millions of free copies which will soon flood the intertubes. Sigh.)

Anyway, tldr, yes, this is a huge problem in medical (or any special-purpose, critical-path) software. It's written by a hybrid of Ebenezer Scrooge and Bizarro Iron Man. Exorbitantly expensive, cheaply written, full of edge cases and bugs, hugely dependent on the manufacturer's support whims, will only run or be supported on extremely vanilla OS, and built without any concept of security or ability to work with a patching plan.

And then there's actual "security" software, that runs cameras and such, and if anything that's worse.

Re:Unplug the computer from the WWW

[vux984]

Special dental application to track intervention history, show X-rays associated, etc should not communicate with the internet.

See this is just plain nonsense.

I'm working with these sorts of customers, and the bottom line is that air-gapping the internal network is absurd. They need things like internet access and email in the various exam rooms at the front desk, in their offices etc. They also need to be able to review exam data in many of these places.

For example, the front receptionist needs to be able to send and receive email, send out email reminders, email invoices, track shipments online, and other stuff like that. So that computer needs to be online. But they also need to be able to access the patient management system, pull up patient history for invoicing, etc.

The patient management system is also tied into the medical equipment, as many instruments will submit the captured exams to the patient management system via DICOM and so forth. So that computer also needs to be on the so-called "internal network".

You want support for a medical instrument / software -- you can't even theoretically take that to futureshop's geeksquad to sort out... but remote support via teamviewer/gotomypc/etc now saves shipping expensive equipment around or flying expensive technicians around in many cases. The equipment has to be online for that. Nevermind that they usually outsource IT because they're pretty small shops that can't support in-house IT, and remote admin / support for routine maintenance is a lot cheaper than onsite.

Meanwhile doctors want to be able to send exams to partners, manufacturers, consultants, and so forth. Doctors want to back up the data to the cloud. Two computers at every desk, separate networks, and moving the data across an airgap each time would be a major hassle and expense.

And that's just the tip of the iceberg.

The software itself has started moving towards cloud storage and cloud backup integration, and there are even patient management systems now that are SaaS. The new and the old collide... people are using 10 year old instruments with new practice management systems and a lot of the new stuff available either outright has to be online, or at best you lose a lot of functionality if it is not.

I don't see such a problem here.

That's because you obviously haven't tried to solve it for a real practice in the real world.

Special dental application to track intervention history, show X-rays associated, etc should not communicate with the internet.

In the real world it does. Patients like email reminders of their appointments, they like to get emailed copies of their invoices for insurance claims and so forth. Doctors routinely need to send patient records to other doctors, specialists, consultants and so forth. Things need to be backed up offsite -- and online backup is the most practical solution by far for that.

Many doctors work in mutiple practices, Tuesdays here, Thursday's there... and they want to be able to review and analyze on patients cross-sites so the in some cases mutiple offices are linked via VPNs etc.

Nobody today would tolerate having all the exams from a particular instrument available only on a single air gapped unit or even an air gapped network.

Re:Certification

[amiga3D]

Most of the Doctors I know have 2 or 3 ex wives and several child support payments that eat up a lot of their money. Then there is the current wife and mistress.

Re:Certification

[geoskd]

You can probably count on one hand all the directly life critical software running as a regular app on XP, in the whole world.

It's very unlikely there's anything at the eye doctor's office that falls in that category. This is a case of simple vendor lock-in. That's all.

The problem is that the software takes significant time to write. Lets say it takes a team of three programmers 1 year to write. Now, say that its a blockbuster, and 1/3 of all opticians use it. You're only talking about a couple thousand copies total. Maybe a thousand copies a year. Now, you also have to have someone do tech support and maintenance. So, You paid $300,000 to develop the software, and are paying $100,000 per year in maintenance. to sell 1000 copies per year. (Thats a very high estimate btw). So, at break even, with no other company overhead, your product costs $400. Now if you take a more realistic view that most opticians already have the software they need, your annual sales expectation is probably more like 100 units, not 1000, and now you're looking at a $4000 price tag.

Before you start talking open source, blah blah, lets not forget that this is a highly specialized application with very little general appeal, and no geek factor. The best you could hope for would be a project that somewhat resembles what you want and pay (by the hour I might add) to have someone adapt it to your needs. This quickly adds up too.

All that having been said, the solution is actually simpler than it sounds. Good XP emulation is not that hard to find. WINE already does a pretty good job of it, and is unlikely to be end-of-lifed any time soon. It is likely that the best alternative for these boutique operations is to switch to Ubuntu or Debian with WINE, and be reasonably certain that they can survive the next hardware upgrade. It wont be cheap, but it will be better than $10k for a new copy of xyz opticiansoft, and it will be M$ proof.

Re:Unplug the computer from the WWW

[ArsonSmith]

Yea, not being able to afford an upgrade is not an excuse. That's like a truck driver saying he can't afford to buy new tires. At some point he's going to have to or he's not going to be driving his truck.

Re:Unplug the computer from the WWW

[Lothsahn]

As a small business consultant who has run into this problem a number of times, as you said, airgapping doesn't always work. However, I have one customer who is security conscious and would rather alter his way of doing business than expose customer data and infrastructure to viruses.

Two separate networks run on two separate switches (yes, VLAN's could have been used, but the switches didn't support them). Each port in the building can be configured to the internal or external network. Wireless is only available on the external network.

To this end:
1) The ultrasound computer is airgapped because it's running Windows XP. Specifically, the software for the US machine is very old and only runs on XP, and upgrading would be a $10,000+ purchase (new US machine, not just the software cost).

2) The records keeping and accounting is separate from the internet. Customer records are only available on the internal network, and not connected directly to the internet. These computers are thin clients with USB mass storage support disabled.

3) The internet computer is a disposable kiosk computer, which has no access to customer records. If someone wants to look something up (ie. rare disease), that computer is available for that. It's also accessible for emails.

This has worked remarkably well. In the (extremely rare) event that an US picture needs to be emailed, the US computer is briefly connected to the internet behind a NAT firewall. We've had zero viruses or known intrusions on the internal network in 10 years.

The doctors at this office are accustomed to the inconveniences that this brings, but they work around those issues. They did business for over 30 years with paper records, and they see no need to switch. The idea that some sensitive data gets leaked or hacked is more important than the minor efficiency gains they could achieve. However, this is a rare case. Most of my customers demand all their computers be internet-connected.