In the digital age, healthcare systems stand as vast repositories of personal and sensitive data, containing a wealth of personally identifiable information and intimate health records. However, this treasure trove has also attracted the attention of malicious threat actors with ulterior motives. These individuals exploit the valuable nature of healthcare data to orchestrate extortion schemes, leveraging the sensitive content they possess.
The existence of legacy systems in healthcare remains a vulnerability, exposing both the sector and its stakeholders to potential attacks. This includes the prominent concern of patient data exposure, which is still prevalent in almost 73% of organizations.
Legacy systems are any outdated computing software, hardware, technology, or data system that may not be supported by the manufacturer and, thereby do not get the required maintenance.
Windows 7 is a legacy system that some people continue to use despite Microsoft no longer supporting it after 2020.
Sticking to legacy devices has been associated with risks of increased costs due to the lack of knowledge on the part of system users, and negligence leading to cybersecurity threats.
Such usage of legacy devices exposes data to cyber criminals as system updates are also no longer made available for outdated devices that can be exploited more readily.
Advisor to CXO, and a business advisor with over 25 years of experience, Mayurakshi Ray shared her observations with The Cyber Express about the use of legacy devices. She said, “People are at the heart of the healthcare industry, and to serve a great deal of people the automation required is, unfortunately, not often considered the highest business priority.”
“Legacy applications, legacy hardware (with out-of-support OS), and even legacy processes continue in the healthcare sector, across India and the world,” Ray added. Among the reasons for this was the focus on data privacy rather than regulatory guidelines focus more on data privacy rather than systems.
Ray shed light on the shortage of healthcare application by stating, “Health Information Management Systems (HIMS) are still few in number, owned by big healthcare organizations and are largely beyond affordability of the majority of hospitals and healthcare organizations, including Business Associates (BAs).”
She shared that new functionalities are hardcorded instead of programmed onto the application codes making them prone to errors.
Navigating Legacy Devices and the Modernization Challenge
Keeping the exploitation and risks in mind, the White House announced work towards a 10-year modernization plan for the federal civilian agencies. This plan will help drop all the legacy devices across Federal Civilian Executive Branch.
Chris DeRusha, Federal CISO and deputy national cyber director for federal cybersecurity shed light on the implications of relying on legacy IT systems. He told Nextgove/FCW that there was a need for a 10-year modernization plan.
“Legacy IT modernization is the number one biggest rock that needs to get moved for us to be able to secure our systems,” he added.
Legacy systems have created a modernization barrier that made implementation of guidance around encryption and multi-factor authentication complex.
It is imperative for all sectors including the healthcare to follow suite and replace legacy systems to safeguard data from cybercriminals that hack devices and leak exfiltrated information on the dark web.
Healthcare Sector Cyber Attacks
While revenue from medical devices is expected to reach $400 billion in 2023 yet healthcare remains one of the most targeted sectors.
According to reports, over 40% of healthcare data breaches were due to third-party insiders who had advanced permissions.
Nearly 94% of organizations work with third-party insiders giving testimony to the threat landscape if adequate precautions are not taken.
Giving system access to third-party insiders has created a bigger threat landscape posing increased privacy concerns.
An example is the MOVEit file transfer vulnerability exploitation which was the third-party file-sharing platform breached by hackers. This led to the compromise of over 600 of its client organizations.
The victims included several healthcare organizations in the US with the recent victims being the Colorado Department of Health Care Policy & Financing and PH Tech. This chain of cyber attacks is expected to affect over 47 million people drawing attention to the need for better cybersecurity in the healthcare sector.
Impact of Relying on Legacy Systems in Healthcare
“Maintaining legacy systems can pose significant challenges for the federal government,” said Chuck Young, the Managing Director, Public Affairs, GAO (US Government Accountability Office) when asked about the impact of using legacy systems.
Elaborating on the negative impact, Chuck wrote, “The consequences of not updating legacy systems can include operating with known security vulnerabilities, reduced ability to meet mission needs, difficulty finding knowledgeable staff, and increased operating costs.”
Thus, he further stated that it is important for agencies to identify and develop plans for their most critical legacy systems in need of modernization.
Technical Debt Due to Legacy Systems
Legacy systems have outdated software and hardware with a framework that is no longer supported by the manufacturer creating what is known as a technical debt.
Let’s understand the issues with technical debt due to legacy systems –
- Cyber risk due to no software updates
- Non-compliance
- Non-compatibility with other software and security update
- Missed scalability reducing chances of expansion
- Lack of flexibility in pairing with devices
- Reduced interoperability leads to limited resource-sharing
- Increased power consumption without power-saving parts
Legacy systems in healthcare decrease clinician productivity and increase patient stay in the hospitals.
According to reports, the utilization of legacy systems incurs an annual expense of $8.3 billion for US hospitals due to outdated technology leading to communication delays of approximately 45 minutes.
When IT staff take time to understand the changing use and application of technology, it is only understood that hospital and related healthcare staff will need more time to migrate to modern tech. This is also because healthcare staff gain training that is hyper-focused in their field of study alone.
This brings to mind the question if healthcare staff and teams are trained in healthcare cybersecurity in medical schools as well.
If not, which most likely is the case, when would they be trained for cyber-security in healthcare? Seeing the rapid increase in cyberattacks on healthcare, it is imperative to train each and every employee in healthcare cybersecurity.
Delayed Migration from Legacy Devices in Healthcare and its Consequences
The losses due to the use of legacy systems in healthcare give rise to the question, of why people and organizations still use them.
Of the many reasons, two of the striking ones included – difficulty in migrating to modernized versions because of the lack of technical knowledge and resistance in doing so by the key decision-makers.
Reiterating the same and adding new inputs, Tony Jaros, CEO of Legacy Data Access gave a glimpse of the changing facets of tech usage in the healthcare sector.
“Often, only the most experienced IT employees – many of whom are retiring or mo.ving on from healthcare – have deep knowledge of these systems,” he told Healthcare IT News.
“Newer talent coming in can be hesitant to mess with existing infrastructure for fear of breaking something and losing valuable data,” Tony added.
With the groundbreaking changes made in the cybersecurity industry each day, regulations, and federal agency reports, it is unavoidable to turn to modern versions of devices. The migration may seem daunting as old staff who understood and got used to the same tools over the years may face difficulty in adjusting to the latest tech.
However, it is essential to be done and must be done sooner rather than later for cyber-security in healthcare.
Legacy systems in healthcare must be replaced with the updated and latest versions to ensure healthcare cybersecurity because failure to do so calls for legal action against organizations.
An Upgrade report summed up the same by adding, “One of the most common HIPAA violations that healthcare systems are penalized for is failing to encrypt their digital devices because they still use outdated security policies.”
Risk Management Plan in Healthcare Organizations
Mayurakshi Ray reiterated that there is a need to have a comprehensive risk management plan in healthcare organizations. She said that there must be a risk inventory of all legacy systems in the organization.
Moreover, to curb risks, they must identify risks associated with each type/ group of legacy systems. She noted the following steps to curtail risk in the legacy systems in healthcare –
- Conduct regular system audits and vulnerability scans and develop plans to address any vulnerability.
- Ensure that systems are regularly updated with the latest security protocols.
- Additionally, implement security controls such as data encryption, access control and user authentication to ensure the security of patient data
- Lastly, where the assessment shows that it’s not feasible or possible to manage the operations securely, look at retiring the systems, after appropriate measures to delete all patient and confidential data.
The Need to Migrate from Legacy Systems in Healthcare
Migrating with a view to transition from legacy medical systems to the upgraded versions would offer many benefits.
Besides rebuilding to increase the scope and specification of the legacy systems in healthcare, the following could be attained with the long-awaited switch –
- Reassembled software modules with newer interfaces via software engineering methods for seamless integration of older and newer system components as needed.
- Redeployed legacy applications to other platforms without having to revise its code sources and capabilities.
- Optimized codes that reduce risks and technical issues via refactoring.
- Shift to a different technology that allows reconceptualization of legacy systems in healthcare for newer capabilities.
Legacy software modernization and migration to upgraded systems and applications can be done with the help of a qualified software developer, engineer, or a chief technology officer. The process may take some time before which backups and other operations can done.
This will allow seamless continuation of the healthcare services as the migration gets done. It would need all the staff of connected entities to be alerted, and trained, into using the latest technology once the system migration in the hospital takes place.
Legacy systems modernization can either mean completely changing all the systems or keeping some systems with a multi-phased approach. Revolutionary modernization would mean a complete transformation to modern systems while evolutionary modernization approaches modernization in parts.
However, choosing a hybrid solution can lead to complications while data migration to the cloud and other processes. Hence, it would be best to go for the complete overhaul especially if the systems, applications, programming language and technology no longer receive software upgrades or tech support.
Even after migrating from legacy devices, there may be complications for which the healthcare staff will have to maintain a regular flow of communication with the engineers to get clarity over the issue.
No migration can be done leaving doubts and loopholes unattended because of the critical nature of the service provided by the healthcare and how a single mistake can cause danger to life and data.
The staff will need to practice using the changed systems and have all the users openly discuss doubts because there are going to be several after using the older technology for a prolonged duration.
Accommodating with the healthcare system upgradation from legacy systems may need practice just like the profession of medicine itself. However, it could all be done with patience and collaborative team effort.
The migration from legacy systems in healthcare will add to the security of data and reduce accidents involving human error with advanced alerts and notices. It is better to move with time and stay safer even if it means changing traditional methods of working in the healthcare sector.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
