Securing legacy systems within healthcare
by Kapua Iao
Covered entities heavily rely on technology for day-to-day and critical operations and unfortunately rarely reexamine cybersecurity for their legacy systems.
Cyberattackers know this and tend to focus their attacks on unpatched vulnerabilities. Furthermore, the HIPAA Security Rule requires healthcare organizations to implement cybersecurity that strongly safeguards protected health information (PHI).
SEE ALSO: HIPAA compliant email
A balance of PHI security, solid patient care, and HIPAA compliance is vital within the healthcare industry. This is why it is up to healthcare providers to understand their technological systems and how to shield them.
What is a legacy system?
In 2020, the U.S. Department of Homeland Security Cybersecurity Infrastructure Security Agency and the Federal Bureau of Investigations (FBI) released a joint alert on the top 10 routinely exploited vulnerabilities. One of the weaknesses explored is legacy systems.
A legacy system is an information system with one or more components succeeded by newer technology. It can be hardware or software. Such devices are typically described as obsolete, old, or outdated.
For example, Microsoft ended its support of Windows 7 in January 2020 and yet many organizations are still running it. The FBI even noticed cyberattacks against organizations using this operating system.
Legacy systems can cause such problems as unretrievable data, weak cybersecurity, and non-compliance with regulations such as HIPAA. More than likely, the manufacturer no longer supports and/or provides updates.
Legacy systems and healthcare
The HIPAA Security Rule requires healthcare organizations to implement reasonable and appropriate safeguards to secure PHI. It puts the HIPAA Privacy Rule into practice by addressing the how of use and disclosure.
The idea is to demonstrate that every effort was taken to block data breaches.
We can pinpoint several reasons why healthcare organizations still operate legacy systems:
- IT is often overlooked by healthcare administrators
- Organizations may not be able to replace them without disrupting patient care
- Hospitals may be reluctant because their employees are familiar with them
- Other systems may depend on them or are incompatible with newer systems
- There is a lack of time, funds, and/or personnel to properly implement the change
- Organizations may rely on a vendor (i.e., business associate) who depends on a legacy system
Do you have legacy systems?
One other possible reason for legacy systems in healthcare is that some organizations may not know they even use them.
A risk assessment helps organizations find the most effective and most appropriate mix of safeguards to properly protect electronic PHI (ePHI). As a foundational step to HIPAA compliance, a risk assessment tracks potential risks and vulnerabilities including out-of-date systems.
Therefore, an asset inventory, a comprehensive list of an organization’s IT resources, is a starting point for the risk assessment. It provides a catalog of systems to analyze for weaknesses.
Most importantly, healthcare providers need a clear strategy to minimize risks and ePHI loss. A strong plan will help decide if it is possible to replace, update, or patch out-of-date technology.
What could you do?
Once your risks and vulnerabilities are determined, you can figure out what liabilities to patch, upgrade, or replace.
IT professionals tend to concentrate on patching, but some legacies are so old they cannot be patched. For this, there are largely three routes to follow.
First, organizations could remove or segregate the legacy system without replacing it. This eliminates the software or hardware as a possible threat vector. PHI is still accessible and usable, but not by threat actors.
And third, organizations could replace it with a cloud-based solution.
In fact, the HIPAA Security Rule supports new technologies if they aid in patient care and keeping PHI safe. But obviously, not every organization can spend the time or money, which is why legacy systems are still active within healthcare.
Understand HIPAA and employ strong cybersecurity
Nonetheless, healthcare providers must understand HIPAA and its guidelines to have good cyber hygiene. While it may seem tough to patch, secure, or replace legacy systems, it is essential for organizations with critical operations.
If not done properly, a covered entity will more than likely face a data breach and HIPAA violation.
Recovering from either can be difficult, especially if faced with a shutdown, HIPAA fine, or ransom payment. Rather than deal with such frustrations, healthcare professionals should build solutions into an organization’s cybersecurity program from the beginning.
Knowing what you employ and how it relates to HIPAA is vital, especially when it comes to legacy systems.
Some healthcare organizations unfortunately think that fixing such issues is too significant an investment of effort, time, and funds. But in the long run, the cost of mitigating a breach may ultimately be higher.