A recent survey of more than 600 Chief Information Security Officers (CISOs) and other information security professionals from a variety of industries reports that 67 percent think their organization will face a cybersecurity data breach in 2018. Further, 60 percent are concerned about a data breach from a third party, such as a partner or vendor. Healthcare rounded out 2017 as the most cyberattacked industry in North America and is predicted to remain a steady target for cyberattacks this year. Ransomware attacks on healthcare organizations are predicted to quadruple by 2020 according to Cybersecurity Ventures. On a positive note, more than one third of the 600+ CISOs surveyed do see a path to a stronger cybersecurity posture, and half say their Boards are becoming more involved in IT security, providing more internal support. Government/Industry Task Force recommendations to increase the security and resilience of health IT One of the most important strategic action steps any healthcare organization can take is to secure its legacy EHR systems and medical devices. The Healthcare Industry Cybersecurity Task Force is a joint effort between 21 senior medical and government officials. The Task Force’s recent report details numerous recommendations for healthcare organizations to improve their overall IT security. The specific recommendations for legacy medical devices and EHR systems include: Recommendation 2.1 – Secure Legacy Systems Action Item 2.1.1 Health delivery organizations must: 1) Inventory their clinical environments and document unsupported operating systems, devices, and electronic health record (EHR) systems; 2) Replace or upgrade systems with supported alternatives that have superior security controls where possible; 3) Develop and document retirement timelines where devices cannot yet be replaced; 4) Leverage segmentation, isolation, hardening, and other compensating risk reduction strategies for the remainder of their use. Action Item 2.1.2 Healthcare sector accreditation organizations (e.g., Joint Commission, and Centers for Medicare & Medicaid Services (CMS)) must: 1) Consider incentives, requirements, and/or guidelines for reporting and/or use of unsupported system and mitigation strategies; and 2) Develop aggressive timelines for conformance. Action Item 2.1.3 For devices that still receive some support from the device manufacturer and/or application vendor, these organizations must make real time updates and patches (e.g., to the operating system, etc.), as well as make compensating controls available to end users. Organizations should also have a policy/plan in place to be able to receive and implement available updates. Action Item 2.1.4 Government and industry should develop incentive recommendations to phase-out legacy and insecure health care technologies (e.g., incentive models like Cash for Clunkers, Montreal Protocol, and Federal IT Modernization Fund). As a part of looking at incentives, government and industry should create partnerships/alliances to establish roadmaps for joint enhancement of cybersecurity interoperability and maturity through better procurement processes. Archiving Legacy EHR Data is Key to Increased Security While incentives like “Cash for Clunkers” may not be in place yet to phase out potentially vulnerable legacy EHR systems, there certainly are many cost savings benefits to archiving historical data and closing the multiple doors and windows that may be leaving your healthcare organization ripe for a cyberattack. A solid legacy data management strategy can be a smart step forward in managing historical patient, employee and operational data — well into the future – for healthcare provider organizations. The right strategy offers compliance with state and federal record retention regulations as well as a single, easy-to-use and secure solution for historical information. As healthcare systems streamline to a single go-forward EHR or ERP system, so too should they streamline to a single archive for easy and secure historical record retrieval. Do you have an accurate inventory of your legacy systems? If not, we have a template for creating an inventory of legacy systems that can help you get the details documented. Once your inventory of legacy systems is complete, submit it to us and then we can work on the five things to expect when you archive data. If you have questions about creating your inventory, call us at (800) 781-1044, Ext. 109. We look forward to reviewing your inventory and making recommendations to help you manage legacy systems in the most timely and cost-effective manner. If you have more questions about healthcare information archiving, contact Harmony Healthcare IT, the makers of Health Data Archiver. Note: Plan to visit Harmony Healthcare IT at the HIMSS18 Annual Conference and Exposition March 5-9, 2018 at the Sands Convention Center in Las Vegas Our team will be at booth #1454 and also in the Cybersecurity Command Center. Plus, plan to attend a cybersecurity-focused presentation by Rick Adams, Vice President of IT and Chief Security Officer at Harmony Healthcare IT. The presentation, set for 4:30 – 4:50 pm on Tuesday, March 6, 2018, is titled: Healthcare Cybersecurity Strategy: Make a Big, yet Easy Defensive Move – Create a Legacy Data Management Plan Rick and our team will provide insights about the state of healthcare information security as well as outline proactive steps your organization can take immediately to minimize risks and increase security, specifically with regard to legacy data. We look forward to connecting at HIMSS18. We currently are scheduling individual consultations and meetings to take place during the HIMSS event. Please reach out if you are interested in arranging a meeting.