VFP End of Life

[psparrow]

I knew this day was coming but I thought I had more time. Now that MS has announced the end of all VFP support as of 1/13/15, I need to get my butt in gear. I have several applications that contain Hipaa protected patient data and have been told that my systems will no longer be compliant. I thought that as long as VFP continued to work, I was golden for at least a few more years. Anyone else in the same boat?

Anyway, I have been searching for an alternative to VFP and one possible solution is Filemaker. Anyone have any insight or experience moving apps from VFP9 to Filemaker? I downloaded the demo and have been trying to evaluate it. At face value, it seems like a useful tool but still have a ways to go to determine suitability.

TIA for any direction you can give.

PS

 

[EzLogic]

What was the last time you called MS for support regarding VFP?

I thought soo..

go to

http://vfpx.codeplex.com/

Ez Logic
Michigan

 

[psparrow]

Exactly. However, I have been told that a data on an unsupported software system is no longer HIPAA compliant.

As you all probably know, Windows XP will no longer be supported by Microsoft as of April 8th. I understand that anyone still using Windows XP after that date will no longer be compliant with the Mass Data Privacy law or HIPAA or PCI regulations.

Believe me, I will leave VFP kicking and screaming but it could be a legal issue. I, like many of you have been using Foxpro since the DOS days and you know the saying about old dogs & new tricks.

 

[Mike Lewis]

I knew this day was coming

Yes, so did we all. We've had several years of warning. And we've discussed the subject ad nauseum.

The simple fact is this: Visual FoxPro will continue to work in exactly the same way after January 2015 as it did before. Nothing will have changed. If your application works now, it will continue to do so.

Listen, if you've got something new to say on the subject, by all means do so. Otherwise let's stop flogging dead horses and get on with our work.

Mike



__________________________________
Mike Lewis (Edinburgh, Scotland)

Visual FoxPro articles, tips and downloads

 

[psparrow]

I realize it will still work - its about the legalities, that's all. I've searched for info on this issue and come up empty. I need my applications to be HIPAA compliant.

 

[EzLogic]

Use SQL backend (or mySQL or Oracle)

That's what I did.

I re-created, from ground up, my app to use pure 100% SQL backend and the front end is VFP, and has HTML5 and CSS and some .Net libraries.

People ask, what you use for the app? I say, it is SQL 2012 BackEnd... and that's the end of Story.

Ez Logic
Michigan

 

[Mike Lewis]

I'm sorry, but I've never heard of these legal requirements. What does " HIPAA complian" mean? What are the Mass Data Privacy law and PCI regulations?

And can you clarify what you mean when you say that data held by unsupported software is no longer compliant? I would guess that half the software in use today is unsupported. Are their users falling foul of the law in some way?

Please understand, I'm not saying you are wrong about this. It's likely that you are making a very valid point. It's just that it's come as news to me, and no doubt to many others as well.

Mike

__________________________________
Mike Lewis (Edinburgh, Scotland)

Visual FoxPro articles, tips and downloads

 

[psparrow]

Mike - there are privacy laws in the US protecting health info and in the state of Massachusetts we have a data privacy law. If my software apps did not contain PHI (protected health info) I would not be as concerned. Up until this time, being HIPAA compliant was not a big issue - just require password protection, security levels, user logs etc.

A co-worker has alerted me to the issue of possible non-compliance of some of our customers still using Win XP when it is discontinued soon:

http://www.techrepublic.com/blog/wi...ou-are-non-compliant-and-open-to-liability/#.

This gentleman told me the same thing will happen when VFP reaches its end of life early 2015. I have several dozen clients using some form of software I created with VFP9.

That is the reason for my concern.

 

[JRB-Bldr]

For Mike and others who might be 'across the pond'...

HIPAA is a US Regulation
Health Insurance Portability and Accountability Act (HIPAA) of 1996
And it is MOST applicable in regards to Medical Information situations, but others industries are adopting the standard as a 'just in case' protection.
Another set of similar US regulations are included under PII (Personally Identifiable Information) which is not quite as strict, but many industries are adopting this as well.

However, when you read the HIPAA regulations, compliance is largely related to data security.

And, as has already been mentioned, if you migrate your application's data source to MS SQL Server you can retain HIPAA compliance.
You might also consider Encrypting your application's Personal Data within the MS SQL Server to even better ensure compliance.

Do a Google Search for: hipaa software compliance checklist

Good Luck,
JRB-Bldr

 

[craigber]

If your VFP app was using DBF files, chances are it was never HIPAA compliant as data needs to be encrypted. I know nothing about filemaker, but if it encrypts data and can be password protected, odds are, it will be compliant. However, doctors and hospitals are becoming more tech savvy and using tablets and other devices more and more. Questions you should be asking:

- Is mobile device support important?
- Does filemaker run on mobile devices such as iPad, Samsung tablets, etc?
- Would a web app make more sense?

Craig Berntson
MCSD, Visual C# MVP,

http://www.craigberntson.com/blog

 

[psparrow]

I am still exploring Filemaker so I am not totally clear on the security issue yet. It does appear to have a lot of features built in. One thing that FM offers is the easy development of mobile apps.

One of my larger systems is a web based product that my clients access via Terminal Server. We host the application on our secure servers. At the suggestions from previous posters, I will explore migrating the data to the more secure MS SQL while maintaining the application in VFP9. That would be an ideal scenario.

As for my standalone, less complex apps - I am thinking a migration to Filemaker Pro Advanced might be the right route as long as I can duplicate the functionality (and or course guarantee data security).

 

[Mike Lewis]

PS,

So you are saying that the laws apply in the United States, and that it applies mainly to sensitive information like health data? OK, that's helpful to know. I hope you understand why I had to ask you to explain. We had no way of knowing which country you are in, or which industry you work in.

So, clearly, this is a fairly specialised issue, that isn't going to affect the majority of VFP developers. Also, if I've understood it right, it affects the data, not the software. On that basis, either Craig's right, and DBFs were never compliant. Or, if DBFs were compliant before the withdrawal of VFP support, I would guess that they would continue to be so afterwards - give that DBFs are an open format that anyone can write software to access.

But this is clearly outside my competence, so I'll shut up now. And thanks for clarifying the question.

Mike


__________________________________
Mike Lewis (Edinburgh, Scotland)

Visual FoxPro articles, tips and downloads

 

[TamarGranor]

In my view, there's a world of difference between WinXP going out of support and VFP going out of support. The concern with WinXP is that there will be no more security updates and people will keep finding new exploits. IIRC, there's been exactly one security update in the life of VFP.

If you really feel you have to get your data out of VFP, I agree with the recommendation to go to SQL Server or another back-end server, but you can keep your front-end in VFP. How hard that would be depends on the architecture of your application. If data access is reasonably isolated, then it's easy. If data access is seriously entwined with the UI, much harder.

Tamar

 

[Dan Freeman]

So, clearly, this is a fairly specialised issue, that isn't going to affect the majority of VFP developers.

Only if you define "most VFP developers" as being outside the US and having no dealings inside the US. It's actually quite broadly applicable.

HIPAA and PCI affect a ton of people, but people haven't been paying attention until recently (and many still aren't). As Craig rightly points out, if an application stores data in DBF files it never was and never will be compliant with any of the relevant security standards.

But the funny thing about standards is that there are so many of 'em. It turns out there are generally "short form" compliance methods that CAN (in some cases) be brought to bear. If you're storing credit card information, no way. If you're storing billing information about healthcare (but not actual patient healthcare information), you can sometimes thread the needle.

It isn't an issue where you can shrug and say "it doesn't affect very many people" because it actually DOES affect very many people.

 

[Olaf Doschke]

There are special compliance requirements for hardware and software in the health sector and other such sensitive areas in germany, too. And I guess that's valid almost world wide. As far as I searched about the HIPAA topic, I didn't find compliance rules saying your software has to be developed in certain programming languages, even nothing about this software being in support by it's vendor, it's mostly concerned about the data security and it's making very vague rules, not even specifying which encryption algorithms are to be used. So I guess Ez Logic is right, if you change your backend to the recent version of MSSQL you are mostly done. .NET offers some concepts about security, eg SecureString, which you won't have in VFP, so you could consider to make the whole step towards .NET client+MSSQL, which of course is a nice pair of frontend and backend software.

Filemaker is an all-in-one system like VFP and also supports use of other databases via ODBC, it's still developed and as you say it offers more modern UI and support of other devices. Still you'd need to redo the whole application in one step with new database and new frontend and new programming language.

Bye, Olaf.

 

[Mike Lewis]

Only if you define "most VFP developers" as being outside the US and having no dealings inside the US.

That's seems a reasonable assumption.

Mike

__________________________________
Mike Lewis (Edinburgh, Scotland)

Visual FoxPro articles, tips and downloads

 

[Olaf Doschke]

Indeed VFP has a strong user base in the US as a US product. Indeed it originated from Hamburg Foxsoftware, but nowadays it's widely used in asia (china, india), arabic and partuguese/spanish speaking countries. Many also come to english forums, as it's the world language.

MasFoxpro.com once had a petition about the continuation of VFP and they made a list of companies using vfp and an overview of countries. Unfortunately the site is abandoned and not working anymore.

Bye, Olaf.

 

[psparrow]

Tamar - a co-worker (he's a network admin, not a programmer) is the one who believes that the demise of XP (and the privacy issues its use will cause) and the end of life of VFP9. I am not 100% convinced.

I am trying to determine whether I can replicate some of my simpler, standalone apps in Filemaker and will explore the SQL Server solution for our hosted app.

I thank you all for your comments & opinions.

 

[Olaf Doschke]

As said the end of lief of XP is much more of a security concern than the end of life of VFP, if you look back and see how many 1.x,2.x and 3-9 version Foxpro applications still run unchanged. It's not much of an attack vector. Indeed other languages are more modern and can be hardened better, but you surely know several security oriented papers and conference sessions of Christof Wollenhaupt (aka Lange). Eg you can make use of the same Crypto API embedded in Windows as .NET uses.

What's true for any end of life product is, that getting no support for it in case may mean a loss of data or functionality which can't be replaced right away, but even for supported OS, programming language and database in cases of security issues a fix takes it's time, after the issue has been found. You always are vulnerable for first time exploits, nothing protects against that.

The security of VFP somewhat is similar to that of Linux, it's not such a big target, Linux hacks mainly are rootkits getting access to a Linux (hosting) server, as the market share for that is larger in Linux.

So finally VFP9 shouldn't be an issue, if that aspect of security is not addressed by the HIPAA compliance rules, but it'll be good to be prepared. I'd start with MSSQL Express or the Developer edition (which has the full Enterprise feature set, just with the restriction to not use it for production use), and you'll soon see you won't miss certain SQL features not available in VFP SQL. And you can learn and use this together with VFP.

Bye, Olaf.

 

[craigber]

For 10 years I worked for a company that wrote software for healthcare. HIPAA is a US law that covers personal health information. There has been a lot of misunderstanding about what that means. Typically, HIPAA compliant systems log all data updates and views to know who is accessing the data. Even timeouts for screen inactivity is required in the law. In a nutshell, anything that can identify a particular patient is private and access to even read the data has to be considered. Data items such as name, birthdate, street address (including zip code but not state), height, weight, social security number, etc is all private. Doctor names are not protected. Data must be encrypted in the data store and over the wire. The law does not specify particular algorithms for encryption.

There is some question as whether application software that has been discontinued (such as VFP) is no longer HIPAA compliant. Because the fines for HIPAA violations are high, I would err on the side of caution and rewrite the code in a supported language just to be safe.

Craig Berntson
MCSD, Visual C# MVP,

http://www.craigberntson.com/blog