Legacy systems abound in healthcare organizations. Whether it’s diverse billing technology accumulated through a series of hospital acquisitions or a nutrition management application running on a server in the basement, it’s not uncommon to find outdated and unmaintained equipment and applications running throughout the modern healthcare organization.
All too often, those systems were designed and implemented by developers and engineers who have long since left the organization, leaving the programs to run unattended with no institutional knowledge of their structure or purpose.
Whether these applications are actively used as a critical component of daily activity or they lurk unused behind the scenes, legacy services pose a significant cybersecurity risk and should be carefully managed to protect the confidentiality, integrity and availability of essential healthcare information systems.
Understand the Risks of Legacy Systems on Healthcare Networks
Confidentiality issues vex the administrators responsible for maintaining legacy healthcare systems. Many applications were designed and built in a different era: a time before the advent of major data breaches and ubiquitous network connectivity.
Technologists designing these applications certainly had the best interests of the patient and the organization at heart, but simply had no idea what the future would bring. Continuing to operate these systems in the modern computing environment is fraught with risk as IT teams try to bolt on modern security measures to applications that were never designed to work in that environment.
Legacy systems are notoriously difficult to maintain. From outdated OSs to obsolete programming languages, it’s hard to find technologists with the ancient skill sets required to support these tools.
Manufacturers no longer provide performance or security patches, meaning healthcare IT teams are left to fend for themselves with the digital equivalent of a roll of duct tape. This leads to an extremely high risk that legacy systems will experience outages that can be quite time-consuming as modern technologists struggle to isolate and correct problems.
Healthcare organizations often struggle to apply the modern security and privacy controls required by the HIPAA Security Rule to legacy systems. Things get even more complicated when those systems contain medical and business records that may be subject to electronic discovery requirements.
Keep an Eye on How Consolidation Impacts Security
Organizations seeking to remediate their legacy systems should begin by developing an inventory of the tools in use throughout the enterprise.
Simultaneously, conduct an assessment of each system encountered, answering key questions, including:
- Is this system serving a crucial business need, or is it a candidate for elimination?
- Does the system serve a redundant purpose that could be consolidated with another existing system?
- Does the system store, process or transmit sensitive information?
- Is the system subject to regulatory or electronic discovery requirements?
- What technology components does this system rely upon?
- Are each of those components supportable in a modern environment?
- Who is currently supporting each component?
- Is the system architecture well documented?
- Are those components patched to current versions?
It’s crucial to consider not only core business systems but also the many applications that may have entered the organization through mergers and acquisitions over the years. It’s even more likely that those systems have been avoided by the central IT group if they haven’t caused any problems.
With the inventory in hand, develop a realistic, prioritized set of projects designed to remediate or replace each legacy system that poses an unacceptable level of risk.
Ideally, each legacy system will be either upgraded or redesigned to use modern, supportable technology. Unfortunately, that approach isn’t always feasible due to time and budgetary constraints. At the very least, technologists should attempt to remediate the system in place by performing partial upgrades and enhancing security controls.
In particularly problematic cases, insecure legacy systems may be placed on their own network segments to isolate them from internal and external threats. Network segmentation not only protects the legacy system from attack, but also can protect the rest of the computing environment should the legacy system become compromised.
Choose Between Data Migration or Archiving
Inevitably, organizations will find themselves decommissioning some legacy systems, whether those were developed internally or obtained as a result of mergers and acquisitions. IT leaders eliminating these systems face a decision about the data they contain: Should they migrate it to another enterprise system or archive it for future use?
The answer to this question depends primarily on the nature of the data and the current need for access. If the data contains recent patient records, it’s likely that business and regulatory requirements will dictate those records be migrated to other online systems. However, if the data is old or of questionable business value, the organization may decide to archive it to an online or offline storage solution.
Archiving data is far easier than migrating it but also dramatically increases the amount of time and effort required to access those records. IT and business leaders normally must make the decision to archive or migrate data on a case-by-case basis.
IT leaders must take the time to develop an understanding of where legacy technology exists in their environments and remediate the risks associated with operating legacy systems.