Continued Use of Windows XP
Support for Microsoft’s Windows XP Operating System ended on April 8, 2014. This means that security updates and technical support were discontinued. While there have been some complicated ways to still receive support noted in recent articles, the fact remains that support has ended. What is surprising is the number of users still utilizing the outdated operating system. Plenty of statistics show that large numbers of users still run the antiquated operating system and we also see it being used while in the field.
In today’s threat landscape, running unsupported operating systems is asking for a breach. Knowing how many users still exist, hackers immediately started targeting Windows XP machines following the end of support. The fact is that if you are using Windows XP it is not “if” you will be attacked, it is “when” you will be attacked. There are costs involved with upgrading, but the costs of having a major security breach far outweigh those costs.
Regulatory bodies have also started to issue opinions on outdated operating systems. In regards to HIPAA compliant entities, HHS has not issued an outright mandate to stop using XP, but per the guidance at the link below, you can read between the lines and know what they are implying.
We have also seen state regulatory bodies issuing more prescriptive guidance to compliant entities to stop using XP all together.
As mentioned previously, we strongly recommend upgrading if you are still using Windows XP. If you must continue using Windows XP, we recommend implementing additional compensating controls to reduce the threat surface. If you have any further questions regarding the risks related to continued use of Windows XP, feel free to reach out to us.
Shane M. O’Donnell, CISA, CPA, MSA
Chief Audit Executive