The Department of Health and Human Services’ Office for Civil Rights (OCR) is advising clinicians to take a closer look at their legacy IT systems and devices. On October 29, 2021, OCR warned that these systems may be vulnerable for a cyberattack.
Legacy systems have at least 1 component that has been supplanted by newer technology and for which the manufacturer no longer offers support. Despite their widespread use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked, according to the OCR.
“This warning is long overdue,” said Michael Greenberger, a professor of law and director of the Center for Health and Homeland Security at the University of Maryland Carey School of Law, Baltimore. The HIPAA security rules require covered entities and their business associates to implement safeguards that are reasonable and appropriate for securing electronic protected health information (ePHI). These rules apply to the creation of the information, receiving it, maintaining it, or transmitting it.
The technological footprint of a health care organization grows daily, and OCR wants providers to take the time to identify and assess their vulnerabilities. The biggest security risk is that legacy systems have no vendor support, putting them at heightened risk for cyberattacks.
‘Problem Begging to Become a Crisis’
Today, many organizations cannot replace their legacy systems without disrupting critical services or compromising data integrity. For health care providers, this can apply to medical devices, electronic health records, and other systems offering critical services. A medical practice may be reluctant to alter technology that appears to be working, or to deploy a new and unfamiliar system that may reduce efficiency or lead to increased user errors. The issue of liability, however, may supersede those factors.
The OCR notes that many health care providers may be reluctant to replace a system that is well-tailored to their business models. Another issue is that a medical practice’s legacy systems may not be compatible with newer systems. “It is a conundrum and it is not going to turn out well for those using legacy systems,” Greenberger said. “Someone is going to be held liable for information that is stolen. This is just a problem begging to become a crisis.”
Due to the COVID-19 pandemic, many medical practices do not have the time, staff, or money for the required IT investment. “There is going to be liability. It is like someone with an old car who doesn’t want to get a new car, even though they are safer. Then, they get in an accident and almost lose their life and lose the car. Up until then, you are saying the car is fine. Then a crisis happens,” Greenberger said.
While many factors may contribute to an organization’s decision to continue to use a legacy system, it is important that the organization include security in its considerations, especially when the legacy system could be used to access, store, create, maintain, receive, or transmit ePHI. The HIPAA security rules require covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment. This includes ePHI used by legacy systems.
Asset Inventory Recommended As First Step
Th OCR recommends an accurate and up-to-date asset inventory as a useful first step because it can help organizations understand where critical processes, data, and legacy systems reside within their organization. After assessing the potential risks and vulnerabilities to their ePHI, covered entities and business associates should immediately take the necessary steps to reduce those risks and vulnerabilities. The OCR recommends mitigating a legacy system’s security risk by upgrading to a supported version or contracting with a vendor or a third party for extended system support through a cloud-based solution. It also recommends removing or segregating the legacy system from the internet or from the organization’s network.
“Private information is going to be released willy-nilly because these systems are so hackable,” Greenberger said. “In the natural course of events, people are not going to go out on a limb and make changes, but we are months away from this becoming a necessity because the liabilities will become obvious. Insurance companies are going to tell them they won’t have insurance.”
OCR suggests enhancing system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI. Businesses are being told that they should restrict access to the legacy system to a reduced number of users and to restrict the legacy system from performing functions or operations that are not strictly necessary.
Edmon Begoli, the AI Systems R&D Section Head at Oak Ridge National Laboratory in Oak Ridge, Tennessee, said aging software, written in the languages and using libraries that are not in use as much anymore, present a maintenance burden. Further, they present a security risk because older systems are likely to be more easily exploitable in terms of cyberattacks. “Although the cyber threat landscape is scary, following some basic best security practices can have a dramatic positive effect for the organizations,” Begoli said.
Best security practices include the use of anti-virus software, a strong password policy, and conducting backups. Other practices to improve security include regularly upgrading software, and using encryption for the protected data. “We need to ensure that our systems, including data, are properly protected, monitored and patched against vulnerabilities,” Begoli said. “This is even more important with the legacy systems because these were likely not built with the same privacy protections or cybersecurity controls as they would have been today.”