Some Windows XP Users Can't Afford To Upgrade

colinneagle writes "During a recent trip to an eye doctor, I noticed that she was still using Windows XP. After I suggested that she might need to upgrade soon, she said she couldn't because she couldn't afford the $10,000 fee involved with the specialty medical software that has been upgraded for Windows 7. Software written for medical professionals is not like mass market software. They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken. With many expecting Microsoft's upcoming end-of-support for XP to cause a security nightmare of unsupported Windows devices in the wild, it seems a good time to ask how many users may fall into the category of wanting an upgrade, but being priced out by expensive but necessary third-party software. More importantly, can anything be done about it?"

Disable Networking

[jacobsm]

Prevent those few computers that are running the program from touching the Internet in anyway. No networking services, web, email, ... or anything else. Make them strictly one function standalone devices.

Re:Helps but not a complete solution.

[rbprbp]

You can run Windows XP as a VM which is isolated from the internet through a firewall. That will probably help.

Re:Certification

[Mashiki]

I bet a lot of that $10k fee is due to the software requiring FDA certification.

Oh that wouldn't surprise me, back oh 15 years ago I helped due a transition from paper to electronic. It was right up along the lines of $38k here in Canada for the software. And my family doctor just dumped their old version of Wolf Medical to a new version, total cost for 6 computers? $118k.

Very common

[Anonymous Coward]

My old hospital was hit by this already. They couldn't afford an enterprise license from Microsoft that allows them to pick which version of windows to install on their PC's, (hundreds of thousands of dollars), some of our critical EMR software was only XP compatibe and would not work on WIndows7. When Microsoft quit selling XP and wouldn't allow us to downgrade our Windows 7 systems, we were in a bind. We were able to find some XP licenses in the wild but still are between a rock and a hard place. FDA certification for our EMR vendors is a pain and moving to the new version of windows is hard. I have no idea how we will overcome the sunsetting of XP.
 

Re:Should run on Win7

[slew]

No need to upgrade to new software, it should run on Win7. There are multiple ways to configure compatibility.

FWIW, Win7 seems to be much more friedly to this than win8.

I've had two 16-bit programs (one used for point-of-sale another a game my mom likes to play) hobbling along since win95. WinXP worked okay (some compatibility flags made it work), Win7 was a bear to make work with the printer and the point-of-sale program, and finally win8 broke both of them. No application error message, just win8 says, you can't run them anymore (the troubleshooter recommends using winxp mode sp3, but that doesn't work, nor do any of the other modes from win95, 98, me, XP-sp2, Vista, or win7, w/ or w/o administrator priviledges, or in reduced color mode). The orginal publisher of both pieces of software are no longer in business, so purchasing upgrades to the new OS is a non-starter.

I've had to downgrade two new computers back to win7 and winxp (didn't have more than one spare win7 licence, so I had to reach back to xp) to support these programs for now, but now the writing is on the wall. I'm sure that my case is not unique and given my predicament, I'm sure that there are some applications that just won't run on win7 either even in compatibility mode.

Re:Wrong platform

[ChumpusRex2003]

The problem is customers. I work at a major hospital and a local consortium is looking to purchase some new medical records software, worth about $10 million.

We've been drafting the new contract for tender, and line 1 of the tender instructions is "The software will run on Windows Server 2008 R2 or Windows Server 2012 64-bit on the servers, and on Windows XP, 7 and 8 32-bit and 64-bit on the client side". I protested at this, but was told by the technical chair, that this term was not negotiable as it was a critical part of the spec; they simply did not have the in-house experience to manage a *nix system.

Later on, there was another line in the tender instructions. "The distribution of the source code of the product must be strictly controlled with appropriate audit trails for persons who have seen it, includes the source code of any 3rd party components used within the product". Again, I protested about this, but the chair of information governance and security said, that this term was non-negotiable due to the large volume and the critical nature of the data stored in this system!!

Re:Certification

[puto]

I used to sell practice management.billing software in the 1990s, and what I found out, that a doctor who was clearing 30k a month in his practice, after all expenses paid, including his salary, was loath to spend 25k to modernize his office, and increase his billing revenue by 10%. Doctors are cheap. An ophthalmologist who cannot afford 10k is probably not one I would go to. One thing Windows did for the medical billing world was force traditional Unix vendors of billing software was to lower their price and up their game.

Maybe they don’t know all their options

[Udo Schmitz]

Very often I noticed that the industry software some small businesses use could be replaced with more standard solutions. I recently had to deal with a stonemason and his software. These days they plot stencils and sandblast the letters. I didn’t like the few fonts he offered for tombstones and there was no way to make a file for him he could import. As it turned out he would have had to buy an additional (very expensive) module for the program he uses to import other fonts or any vector graphic format at all. During my research I discovered that his “special stone mason software” was more or less a repackaged plotter software which would be more powerful and cheaper if bought directly from the source.

Re:I'm gonna say...

[HideyoshiJP]

This is potentially the case, but I've also seen numerous products in the medical field that won't run on Windows 7 because of poor decisions made during development. As an example, there is a piece of software (that's nearly up to date) that requires a specific version of Microsoft Forms Controls 2.0 (fm20.dll) and will encounter a memory error even on an up to date Windows XP example. Their tech support actually instructs you to replace the library in the Windows directory. Luckily, we're not complete tools and simply used redirection to an older copy in the executable's directory. Luckily, this is one case where we were able to find a workaround. There are so many poorly coded or managed pieces of software in the medical field it's difficult to stay up to date and not go broke. I've seen products developed by some amateur in VB without thought to which control he/she should be using (Hey! Forms 1.0, .net and an IE frame with an embedded apache page all in the same application form - why not!?). I've also seen those with MSI installers improperly coded that will fail to install on a 64-bit OS, requiring repackaging or extensive modification. Then there's the products managers purchased that rely on MS Office macros (my favorite!). These things are far more common than they should be, especially when Microsoft has entire documentation libraries and communities that can help developers/product managers adhere to best practices, even in advance of new product releases.

Re:specialty software prices

[Samantha Wright]

Actually—(a) they're just called "papers," the "white" part is a specific piece of IT jargon, and should be pronounced "scientific-sounding marketing material," as white papers are almost never rigorous or unbiased, and (b) there are plenty of books published at levels above the expected comprehension of a graduate course; these are usually bundles of papers and protocols (procedures). They're sometimes called "textbooks," but more properly "monographs [wikipedia.org]."

And for what it's worth, graduate textbooks and monographs are cheaper than undergraduate textbooks because they involve fewer writers, as the material is more narrow and there are fewer experts available. Monographs in particular are exceptionally cheap because the idea of publishing a book generally comes up after the material has already been written.

Regarding the availability of content, however, the Internet is really not all that it seems when it comes to content for fourth-year undergrads and grad students. Textbooks targeted at such groups generally require combing a great deal of journal articles, which are generally available, but may not necessarily be in a consumable format. My favourite example is this paper [sciencedirect.com], which outlines a method of constructing a solution to a problem (WJISP in polynomial time) and then completely fails to explain how the method works (It takes about half an hour to work out even when you know what they're talking about.)

This is where having a competently-written textbook becomes invaluable, and were it not for Wikipedia, many more topics would be completely unrepresented in any electronic secondary source.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Unplug the computer from the WWW

[Lothsahn]

As a small business consultant who has run into this problem a number of times, as you said, airgapping doesn't always work. However, I have one customer who is security conscious and would rather alter his way of doing business than expose customer data and infrastructure to viruses.

Two separate networks run on two separate switches (yes, VLAN's could have been used, but the switches didn't support them). Each port in the building can be configured to the internal or external network. Wireless is only available on the external network.

To this end:
1) The ultrasound computer is airgapped because it's running Windows XP. Specifically, the software for the US machine is very old and only runs on XP, and upgrading would be a $10,000+ purchase (new US machine, not just the software cost).

2) The records keeping and accounting is separate from the internet. Customer records are only available on the internal network, and not connected directly to the internet. These computers are thin clients with USB mass storage support disabled.

3) The internet computer is a disposable kiosk computer, which has no access to customer records. If someone wants to look something up (ie. rare disease), that computer is available for that. It's also accessible for emails.

This has worked remarkably well. In the (extremely rare) event that an US picture needs to be emailed, the US computer is briefly connected to the internet behind a NAT firewall. We've had zero viruses or known intrusions on the internal network in 10 years.

The doctors at this office are accustomed to the inconveniences that this brings, but they work around those issues. They did business for over 30 years with paper records, and they see no need to switch. The idea that some sensitive data gets leaked or hacked is more important than the minor efficiency gains they could achieve. However, this is a rare case. Most of my customers demand all their computers be internet-connected.

Re:Certification

[nonameisgood2]

But doctors in small towns (population 10k or less), barely scraping by because half of the population is at or below poverty level, are paying the same as those in this big city. They all have to meet the same federal mandate to bill electronically (which requires internet access to a clearinghouse) and provide electronic medical records to insurers and other doctors as needed. And I do the IT from 400 miles away, also requiring that I have remote access. I found an excellent package for about $5k, for my wife's practice, but it is tailored to the small to mid-sized practice. We also pay $2k/yr for maintenance and updates. But it's on MacOS, an OS which is now mature enough to avoid software-shaking changes from year to year. (macpractice.com)

Re:I'm gonna say...

[TheRealMindChild]

Forms 2.0 is a 16-bit rich ActiveX library from old Microsoft Office, which is probably also a majority 16-bit. Of course it wouldn't work on 64bit Windows. This is why Windows 7 has its XP mode

Re:Helps but not a complete solution.

[crazycheetah]

I'm in agreement with you.

On the flip side, I can think of one hospital I worked at that was a constant back and forth between the guys doing the network security and the doctors. The doctors won every time, with the guys doing the network security walking away with scraps of their generally good ideas. They eventually found a good compromise that didn't leave a bunch of security issues, but the doctors had the better leverage and wanted ease of use if they were going to use the computers at all. They just wouldn't use your computers if you made it too difficult (which was not very difficult at all, but not as easy as the old ways they did things). That said, they were able to figure things out, but if security makes the doctors' life more difficult, they'd rather just do it all without the computers, making the whole thing a moot point.

Re:Helps but not a complete solution.

[Architect_sasyr]

Yeah, best case we've deployed is a Citrix XenApp farm coupled with local computer access. Xen servers control medical software, local desktops are pretty free for email and porn (a surprising amount of porn for medics who are idle). We can control the Xen computers easily enough this way, local computers are wiped if they have a problem via our "perfect world" deployment policy*. It's nice, compromises are minimalistic at best and we segregate the desktops from the servers pretty solidly (with the file/print servers in the middle - "dual homed").

Doctors can do what they want, netops are happy with what they get to lock down, and we even pass a lot of the DSD compliance ratings (not that we're audited, but it's a good benchmark).

*Can't solve your problem in 10 minutes, a further 5 minutes to blow the machine back to standard image. 5 more to reconfigure default accounts and such (which is automated, but we also need to wait for download/ sync of emails etc.). 20 minutes downtime from start of call to end, maximum.

Re:Easy solution...virtualization.

[Darinbob]

And who sets this all up for the doctor or dentist, and how much are they going to charge, and what is the maintenance charge to make sure it keeps working and the person who set it up is available to fix it in a day's time if necessary?