Four Tips to Fortify Defenses for Protected Health Information (PHI)


A new report by Verizon claims that healthcare is the worst industry in terms of stopping insider data breaches. Healthcare employee errors and malicious activity account for about 56% of data breaches, the only industry to top the 50 percent mark with employees.

The report recommended that the healthcare industry institute full disk encryption to protect sensitive healthcare information on devices and put in place policies and procedures to monitor access to protected health information (PHI).

We agree. There needs to be more security measures in place to protect health data. We also extend this thought to include not only current records, but legacy data as well.

In fact, Harmony Healthcare IT recently became the first discrete data archiving company certified by FairWarning to implement its audit platform for monitoring the long-term security of historical patient and employee record storage.

For more information about how this partnership adds another layer of security to your legacy health data, check out our recent blog.

Outdated Systems can be Vulnerable

In our work helping healthcare organizations of all sizes archive legacy data, we see common security issues as a result of outdated systems and too many data silos that need to be protected. The main issues include:

  1. Unencrypted data in transit – a lot of legacy applications are running on really old technology that create a multitude of vulnerabilities, especially when in transit.
  2. Unsupported operating systems – Microsoft Windows 2003 is still out there without any patches. Healthcare organizations are faced with some tough choices to ride it out and cross their fingers that nothing happens.
  3. Insecure legacy data applications – we see many applications that do not have the back-end features and functions such as audit logs, password strength, resets and screen locks that would meet NIST or HITRUST certification.
  4. Outdated security protocols – for older systems which leads the application to auto-negotiate to the lower system’s capabilities.
  5. Unregulated back door access – mainly as a result of acquisitions and sometimes from self-developed systems that have vulnerable back entry points long after the developer is gone.

Archiving legacy data takes the vulnerability out of your environment by shoring up legacy data applications into one, secure system. Think of your applications as a building. You’ve got a lot of doors and windows you need to secure. If you have 40 applications and each is an island with a door or window, some have bad locks, some do not have locks at all.  Think about having all of your legacy systems in one building that is a highly secure environment. Makes sense, right? Here’s a starting point.

Four tips to Excel at Legacy Data Management and Defend against Cyberattacks:

  1. Get an inventory – Make sure you have a complete inventory of each application and the operating system that it is on. Seek out every clinical, financial, inpatient, outpatient, administrative and ancillary system.
  2. Basic Discovery – Once you have the inventory, do some fact checking to determine which operating systems the applications are on as well as the size and type of system.
  3. Prioritize – Look at the risk associated with each system and also look into contract renewal dates and support costs.
  4. Source a Vendor – Look for a vendor with broad enterprise experience to help do the heavy lifting as well as have the technical experience to archive all types of databases. Look for vendors with HITRUST certification.

The move to retire legacy applications and move the data to an accessible archive is an important step toward securing your organization’s health data. The results will support higher security for your data and also provide additional benefits such as reduce costs, minimize risks, eliminate issues, simplify access and merge data silos. Retiring legacy applications into one secure archive provides a solid and secure step in the right direction.

Harmony Healthcare IT is a FairWarning Ready Healthcare Data Archiving Partner.

FairWarning® is a registered trademark of FairWarning, Inc.

Ready?  We are.  Contact us.

May 14 2018

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

First Name *
Last Name *
Email *

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up