Many hospital executives contend with older legacy IT systems that are vulnerable to cyberattacks and may violate HIPAA requirements. While technical challenges abound, one approach is to provide detection and response capabilities through network firewalls through which legacy systems communicate.
Regulatory Obligations to Protect Patient Data on Legacy Systems
HHS and OCR have noted that the HIPAA Security Rule requires covered entities to protect electronic protected health information (ePHI) on IT systems, including legacy systems. However, there are many challenges to implementing cybersecurity programs on these outdated, vulnerable systems. These challenges include:
- Inadequate security features for safeguarding PHI
- Lack of ongoing security updates
- Limited audit capabilities for incident detection
- Difficulty implementing strong data encryption
- Interoperability challenges hindering secure data exchange
- End-of-life issues for unsupported systems
- Difficulties meeting data retention and destruction requirements
How Legacy Systems Lead to Security Exposures
First, legacy systems often have outdated security features, lacking modern capabilities like robust encryption and multi-factor authentication. They also lack security updates, as they may no longer receive patches, leaving vulnerabilities unaddressed.
Next, legacy systems can be incompatible with modern security tools, making it difficult to implement comprehensive security measures. There’s also an issue of interoperability that could lead to security gaps when interfacing with modern systems.
Legacy systems can also increase the attack surface by providing more potential entry points. When an incident does occur, limited audit capabilities make it harder to detect and investigate security incidents.
Legacy systems may also not support strong encryption methods, making data encryption difficult. There’s also the issue of weak authentication mechanisms as legacy systems often rely on simple passwords.
The Challenges of Upgrading Legacy Systems
A 2021 HIMSS report states that 73% of healthcare providers may still use legacy systems. Upgrading these systems is challenging due to the complexity and interconnectedness of hospital systems, patient data retention requirements, and potential disruption to 24/7 operations.
Additional challenges include staff resistance to change, issues integrating with modern systems, security concerns during the transition, and specialized knowledge requirements.
Cybersecurity Options for Legacy Systems
HHS and OCR have noted ways in which covered healthcare providers can continue using legacy systems by strengthening security controls, including:
- Enhancing system activity reviews and audit logging to detect unauthorized activity
- Restricting access to the legacy system to a reduced number of users.
- Strengthening authentication requirements and access controls.
- Ensuring the legacy system is backed up – especially if strengthened or compensating controls impact prior backup solutions.8
- Implementing supported anti-malware solutions.
Protecting Legacy Systems via Network Firewalls (Perimeter defense)
Given that vendors and IT staff can be appropriately anxious about applying cybersecurity solutions directly on fragile legacy systems, are there ways to improve external security for these systems? Indeed, there are. HHS sometimes refers to these mechanisms as “compensating controls” and they can be implemented simply and effectively via a hospital’s existing firewall infrastructure.
- Network segmentation is a common best practice that involves isolating legacy systems from the rest of the network. However, this implementation can be very costly and complex. Busy IT organizations may not have the time or the skill to implement network segmentation or to maintain these configurations in an ever-changing IT environment successfully.
- Continuous monitoring and defense: Another best practice is to use firewall-based mechanisms to detect and contain potential breaches that could impact the current or legacy systems operating behind the firewall. With this approach, it may be possible to detect potential malicious activity, not inside the legacy systems but at the network communication level. This would obviate the need to install software or agents directly onto the legacy system. Optionally, healthcare organizations could also use firewall-based defense to block network activity to or from the legacy system without installing any agents.
Conclusion
Protecting legacy systems from data breaches is a critical challenge for hospital executives. While the measures outlined above can significantly improve security, they are not foolproof solutions. The most effective long-term strategy is to plan for the eventual replacement or modernization of legacy systems.
By taking a proactive and strategic approach to managing legacy systems, hospital executives can significantly reduce the risk of data breaches while ensuring continuity of care and regulatory compliance.