Legacy systems and devices are pervasive in healthcare. Large healthcare organizations often have many systems and devices that contain components that have reached end-of-life and are no longer supported. When software, firmware, or hardware reaches end-of-life and support is no longer provided, vulnerabilities will no longer be fixed, which means legacy systems and devices will be vulnerable to cyberattacks.
Software developers and device manufacturers provide ample notice of the end of support to give their customers time to plan and perform upgrades to newer technology, software, and systems. Healthcare organizations should plan for upgrades and ensure they are performed ahead of the data when support comes to an end. In an ideal world that is easily achievable but, in healthcare, it is not that simple.
Software solutions may have been written for a specific operating system such as Windows XP, and may not work properly on later versions of the operating system. Since many legacy systems are used to provide critical care, it may not be possible to have downtime while systems are upgraded without putting patient safety at risk, sacrificing the availability of data, or compromising data integrity. Large numbers of systems and devices may depend on a legacy system and performing an upgrade may be incredibly complicated. Further, in healthcare, there are often competing priorities and obligations that need to be carefully balanced. It may not be possible to dedicate the time, funds, or human resources needed to retire and replace legacy systems and devices.
The continued use of software and devices after they have reached end-of-life is not in itself a HIPAA violation. However, the security of legacy systems and devices must be considered. Additional safeguards or compensating controls are likely to be required to ensure the security of legacy systems and any ePHI that is accessible through them.
In its monthly cybersecurity newsletter, the HHS’ Office for Civil Rights (OCR) reminded HIPAA-regulated entities of the importance of securing their legacy systems and devices to ensure continued compliance. The failure to do so could put patient data at risk or even result in patient safety issues.
OCR reminded HIPAA-regulated entities of their responsibilities under the HIPAA Security Rule, which “requires covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment, including ePHI used by legacy systems.”
In order to complete an accurate and comprehensive risk assessment, it is necessary to have an up-to-date asset inventory that includes all legacy systems and devices. Without a complete asset inventory, HIPAA-regulated entities may find it difficult to understand where critical processes, data, and legacy systems reside within their organization.
“Many health care organizations rely on legacy systems, which is a term for an information system with one or more components that have been supplanted by newer technology and for which the manufacturer is no longer offering support,” explained OCR. “But despite their common use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked.”
To ensure compliance, all potential risks and vulnerabilities to ePHI created, received, stored, maintained, or transmitted by legacy systems and devices must be identified and reduced to a low and acceptable level as part of the risk management process. That process should also include, if possible, a plan for the eventual retirement and replacement of a legacy system.
The measures that need to be implemented until a legacy system is replaced will be specific to each system, with the most common measures used to mitigate a legacy system’s risk being upgrading to a supported version or system, contracting with a vendor to provide extended support, blocking access to the system from the Internet, segregating it on the network, and maintaining the legacy system but strengthening existing controls or implementing compensating controls. If additional security measures or compensating controls are implemented, they need to be tailored to the legacy system.
OCR suggests the following:
- Enhanced system activity reviews and audit logging
- Restricted access by reducing the number of users
- Strengthened authentication and access controls
- Restriction of functions or operations that are not strictly necessary
- Strengthened backup solutions
- Creation of contingency plans as there is an increased likelihood of system failure
- Implementation of more aggressive firewall rules
- Use of supported anti-malware solutions