Six Ways Legacy Systems Expose Healthcare Organizations to Security Risks

Summary

Cyberattacks in healthcare continue to cause major turbulence. The U.S. Dept of Health and Human Services (HHS) Office of Civil Rights (OCR) reported a 264% increase in healthcare ransomware attacks over the past five years. Hospitals and health organization are facing a massive increase in ransomware worldwide, and especially in the United States with a 73 percent increase in attacks. These attacks of critical systems force the cancellation of surgeries, exams, and sometimes even halt the entire health system’s operations. The aftereffects of recovering from a breach include an average can cost more than , plus the challenges of reputation repair. To fight off cybercrimes before they happen, a healthcare organization should examine its weak links, starting with its legacy systems.

 

six-ways-legacy-systems-expose-to-security-risks

 

Electronic health record systems (EHRs) have an important and expanding responsibility to enable interoperability (record sharing) between providers, payers, patients and other users. However, many EHRs developed years ago are not able to deliver on current and future needs and will be upgraded or replaced.

Upgrading or replacing an EHR is only part of the solution. Currently, 73 percent of healthcare providers still use legacy information systems and the average organization has almost 1,000 unique applications in use. Beyond the technical limitations, legacy systems are a leading bad practice for healthcare security, according to the Cybersecurity and Infrastructure Security Agency (CISA).

Healthcare as a leading target for cyber-attacks and legacy technology is reported as the third-biggest security challenge facing healthcare cybersecurity programs.

It is imperative to review the entire IT landscape for security risks and make necessary changes.

Six major security risks lurking in legacy systems.

  1. Easy Back-Door Entry – Unsupported or end-of-life systems with silos of data stored in outdated systems are the easiest entry points for hackers. Network servers are the target for more than 50 percent of all hacking-related breaches. Poor security protocols and weak infrastructure make it easy for a hacker to gain access to a legacy system and then move freely throughout the network. There can be upwards of 30-40 legacy systems running in maintenance mode at a health system that is the equivalent of having unlocked doors and windows unlocked and ripe for attack.
  2. Lack of Vendor Support – With outdated systems, there often is a lack of regular security updates which leaves them open to cyber-attacks. A lack of support from the manufacturer means a lack of available security patches.
  3. Technical Risk – Legacy software kept running in read-only mode is ripe for corruption, breakdown, cyberattack or even internal threats. There also may be a lack of internal system experts who are familiar with how to operate the legacy system which can further complicate workflows.
  4. Non-Compliance with HIPAA – Legacy systems may not be HIPAA compliant which increases the risk of potential breaches and leaves the organization vulnerable to penalties and sanctions. The HIPAA Security Rule requires covered entities and their business associates to implement safeguards that reasonably and appropriately secure electronic patient health information (ePHI) that these organizations create, receive, maintain or transmit. Legacy systems can make patient and other records vulnerable during a cyber or phishing attack.
  5. Absence of Monitoring Capabilities – Many legacy systems are not equipped to monitor and audit user activity, data access and use. Most older systems were designed for easy data access as security was not as big a factor when the systems were implemented.
  6. Internal Threats – Legacy systems often have limited security protocols which creates an opportunity for employee mistakes or insider threats. These two categories are responsible for most healthcare system breaches. The average healthcare organization has 31,000 sensitive files (which is about 20 percent of all files and include HIPAA-protected information, financial data and proprietary research) that are open to everyone in the organization.

How to improve cybersecurity preparedness for a healthcare organization.

The first step is to follow the HIPAA Security Toolkit. This will help the organization take stock and manage its ongoing risk. The next critical step is to become HITRUST CSF certified. This globally recognized standard provides a comprehensive, flexible, and efficient approach to regulatory standards compliance and risk.

With these two frameworks in place, it is recommended to centralize legacy data into an active archive like HealthData Archiver®. This helps ensure the organization meets regulatory requirements that can include record retention of six to 30 years or more while also allowing legacy systems to be decommissioned. A streamlined portfolio offers a host of security, cost and other benefits.

The Harmony Healthcare IT team of data extraction and migration experts have helped hundreds of healthcare delivery organizations decommission legacy systems and safely consolidate patient, employee and business records from more than 550 different clinical, financial and administrative software brands.

For more information about securing legacy healthcare data and deflecting cyberattacks, check out this white paper: Security Focus Creating a Legacy Data Management Plan and the 10 privacy and security questions to ask an archiving partner. With 87 percent of healthcare’s security issues in the last 12 months involving a third-party breach, it is critical to scrutinize every supporting organization and utilize best practices for third-party risk management.

Beyond the obvious reasons to take cybersecurity seriously, the Department of Health and Human Services (HHS) released 10 essential and 10 enhanced cybersecurity performance goals designed to better protect the healthcare sector from cyberattacks. The guidance is expected to include financial penalties in the form of reduced payments to certain hospitals that fail to meet cybersecurity standards beginning in fiscal year 2029.

If you are ready to move forward with a legacy data management strategy, we are ready to help.

Let’s connect.

 

Dec 02 2024

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up