EMRs Under Attack: Legacy Software Ranks as No. 1 Cybersecurity “Bad Practice”

Summary

EMRs now account for nearly 10 percent of cyberattacks, with legacy software offering some of the easiest entry points. With the price tag for a healthcare data breach reaching an all-time high, decommissioning aging, out-of-production applications to secure patient, employee and business records is more important than ever before.

Legacy Software Ranks No. 1 Cybersecurity Bad Practice

 

Fighting cybercriminal activity in healthcare is a nonstop battle with attackers constantly upping their tactics and varying their targets. Even more than before, cyber criminals are targeting EMR applications to siphon as much data as possible, cause operational damage, and push for ransom payments. Since 2018, there has been a 264 percent increase in large breaches that involve ransomware attacks.

Smaller hospitals, physician groups and specialty clinics are particularly vulnerable to  hacking or IT incident breaches as they may have less resources to protect themselves. Midsized hospitals also report being hit harder than their larger counterparts.

With the price tag for a healthcare data breach at an all-time high of $11 million, looking at your EMR environment for weak links is a smart move for organizations of every size.

Legacy Software and Hardware are the Weak Links in Healthcare Security

Cyberattacks are not only grabbing headlines, but causing major turbulence in healthcare, forcing the cancellation of surgeries, radiology exams and other services because systems, software and/or networks had been attacked and disabled due to cyber criminals. The cost to the breached organization is high in terms of economic loss and reputation repair. There are many steps needed to protect healthcare organizations, which starts with understanding not only everywhere the electronic protected health information (ePHI) resides, but in the security vulnerabilities associated with legacy systems across the enterprise.

Legacy/Unsupported Software Ranks No. 1 as a “Bad Practice”

According to the Cybersecurity and Infrastructure Security Agency (CISA), the use of unsupported (or end-of-life) software is a Bad Practice that increases risk to critical infrastructure including public health and safety.

Multiple silos of data stored in outdated systems offer the easiest entry points for hackers. Legacy software kept running in read-only mode can be vulnerable to corruption, breakdown, cyberattack or even internal threats. Minimizing open doors and windows in your organization by decommissioning legacy software to defend against cybercrime is a smart and necessary step in your organization’s long-range security plan.

Healthcare Providers Must Strengthen Their Cyber Posture

While there are best practices for health data management, many organizations are finding it necessary to allocate more resources toward security preparedness. According to a recent survey by Healthcare Information Management and Systems Society (HIMSS), 55 percent of healthcare cybersecurity professionals reported an increase in their cybersecurity budgets. While healthcare spending on cybersecurity may be difficult to increase, the recent HIMSS survey also notes that those “not investing in their cybersecurity programs will likely struggle to keep up with evolving threats.” The time is now to take the recommended action steps to better protect patient, employee, and business records.

The one, two punch: Costs can add up with cyberattacks and new penalties for failure to protect ePHI

If defending against cyberattacks wasn’t enough of a reason to take action, there also are regulatory penalties for not adhering to compliance standards. There are new fines for organizations found guilty of not protecting the ePHI in its care. As of July 2024, the HIPAA Privacy, Security and Breach Notification Rules now include penalties (called disincentives) for covered entities such as health plans, health care providers and health care clearinghouses as well as business associates who fail to protect the privacy and security of protected health information. HIPAA stipulates four tiers of violations that reflect increasing levels of culpability, with minimum and maximum penalty amounts within each tier. Having a thorough privacy and security plan is more than a necessity, it is a critical mission.

An Important To-Do: Decommission Aging, Out-of-Production Applications

When decommissioning legacy systems and determining how to address legacy data to reduce the risk factor to your ePHI, there are a few things to ask any future archiving partner.

The data extraction and migration experts at Harmony Healthcare IT have helped healthcare delivery organizations decommission legacy systems, and safely consolidate patient, employee and business records since 2006.  Extracting, migrating and retaining legacy records from over 550 different clinical, financial and administrative software brands, Harmony Healthcare IT secures discrete data and images for the long haul on its cloud-based platform, HealthData Archiver®.

Stepping Up Defensive Moves to Protect ePHI

Need help protecting legacy records in this hostile, hacker-centric environment? Harmony Healthcare IT has been consistently ranked as the #1 data extraction, migration, and archival healthcare IT company according to Black Book Market Research for four years (2019-2022) as well as ranked #1 in the 2020 Best in KLAS Software & Services Report as a Category Leader in Data Archiving.

For more information about securing legacy healthcare data, reach out to connect.

 

This blog has been updated from the previous version published on Oct 04 2022

 

Aug 27 2024

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up