By Dan Kompare, VP of Information Systems
When IT proposes retiring legacy ERP systems, what’s the real financial impact? Here’s what hospital CFOs need to know.
Legacy data archiving initiatives can reduce security vulnerabilities for healthcare organizations by enabling the removal of outdated systems. Yet many CISOs and health IT leaders approach legacy data archiving with caution, and for good reason.
I’ve spent more than two decades in highly regulated technology environments with a focus on data integration and security, and I can tell you that any introduction of new technology or third-party partners should trigger rigorous security scrutiny.
Legacy data archiving is no exception. Healthcare continues to be a prime target for cybercriminals, and nearly one-third of healthcare security breaches originate from third-party compromises.
Key risks associated with third parties include:
- Expanded attack surface. Each third-party vendor granted access to your system creates another potential entry point for attackers.
- Outdated security practices. Vendors operating with unpatched systems and vulnerable technology can increase your security risks.
- Superficial compliance practices. Vendors that lack substantive security assessments can also increase your security risks.
These risks, while legitimate, should not deter any healthcare organization from pursuing legacy data archiving initiatives. When executed properly, archiving significantly strengthens your security posture by eliminating vulnerable legacy systems while generating substantial cost savings. The key is finding a partner that can deliver all the security benefits of archiving without introducing new risk exposure.
Here are nine essential security requirements I recommend every healthcare organization should prioritize when evaluating legacy data archiving vendor partners:
1. Alignment with key regulatory frameworks. The vendor should be HITRUST certified and align with all relevant regulatory frameworks, including HIPAA, NIST, ISO 27001, and COBIT. The vendor should engage in regular internal and external audits to ensure compliance.
2. A comprehensive information security program. The vendor should maintain a formal, documented Information Security Management Program (ISMP) based on industry standards like NIST 800-53 or ISO 27001/2. This program should be reviewed, updated, and independently audited at least annually, with letters of attestation readily available upon request.
3. Industry-leading data protection and encryption standards. All sensitive data should be encrypted both at rest and in transit using FIPS 140-2 compliant cryptographic modules, specifically, AES-256 for storage and TLS 1.2 or higher for data in transit. Data should reside in Tier III, SOC 2 Type II certified data centers with IP whitelisting and network segmentation enforced.
4. Continuous monitoring and threat detection. The environment should be monitored 24/7 using industry‑recognized security monitoring platforms. Tools such as CrowdStrike, Arctic Wolf, Rapid7, or SentinelOne are commonly used examples; however, organizations should select solutions that best align with their risk profile, architecture, and operational maturity. Capabilities should include automated alerting, configuration management, vulnerability scanning, and regular risk assessments to ensure rapid threat detection and response
Tip: Ask potential partners which monitoring tools they use and why. They should clearly articulate their decision-making process and how they determined which solutions would deliver the highest level of security.
5. Strict access controls and authentication requirements. Access to systems and data should be governed through role-based permissions and multi-factor authentication for privileged accounts. Access rights should be granted by the customer and project, then reviewed regularly per HITRUST CSF requirements.
6. Rigorous third-party access protocols. Third-party access should only be granted after due diligence, contract signing, and implementation of required controls. Physical access to sensitive areas should be restricted, monitored, and regularly reviewed.
7. Annual security awareness training for all team members. All personnel should receive role-specific annual security training, including incident response and data protection protocols. Compliance should be enforced through audits, with disciplinary action for violations. Monthly organization-wide phishing tests and bi-weekly reviews of security metrics should take place.
8. A formal, tested security incident response plan (SIRP). The plan should follow the NIST 800-61 framework, covering preparation, detection, containment, eradication, recovery, and post-incident review. Quarterly training and simulations should ensure team readiness.
9. Robust business continuity and disaster recovery capabilities. The vendor should maintain a documented disaster recovery plan with full backups and daily incremental changes replicated to a secondary data center for seamless failover.
Final Recommendations
While these security requirements establish a critical foundation for vendor evaluation, they are just a few of many requirements to consider. Your organization’s unique risk profile, compliance obligations, and operational needs may require additional security considerations beyond this baseline. The right archiving partner will not only meet these fundamental requirements but will also engage in transparent dialogue about your specific security concerns and demonstrate flexibility in addressing them.
If you are evaluating legacy data archiving vendors, ask our team to walk you through our security framework and show you how we eliminate third-party risk. Contact us today.
Dan Kompare has over 20 years of experience in Information Technology since graduating from Purdue University with a specialty in data integration and work in bioinformatics and EHR system design. Throughout the years, he’s had a hand in system administration, networking, security, data analytics, database administration, software development, and senior leadership over critical infrastructure. Today, Dan leads the Harmony Healthcare IT DevOps, Cloud Infrastructure and Security teams.
