Jan 04 2023

Tips for Health Systems on Managing Legacy Systems to Strengthen Security

Bolstering basic security can help protect legacy systems as healthcare organizations make strides to modernize infrastructure.

Legacy operating systems and software applications are pervasive in healthcare, and they pose a serious security threat.

A 2021 report from Kaspersky Lab found that 73 percent of health systems used medical equipment running legacy operating systems. Not coincidentally, only 34 percent of organizations said they had up-to-date and adequate hardware and software security protections.

In some cases, the legacy OS is a sunsetted version of Microsoft Windows. According to the 2021 HIMSS Healthcare Cybersecurity Survey Report, more than one-third of health systems still have devices running Windows Server 2008 and Windows 7, both of which haven’t been supported by Microsoft since January 2020. Even worse, 1 in 5 are still running Windows XP, which hasn’t been supported since 2014. In other cases, the legacy OS is a proprietary system running on medical devices or industrial control systems.

All told, only 9 percent of healthcare organizations have prioritized the removal of legacy systems as part of their overall cybersecurity strategy, according to a 2021 Healthcare Financial Management Association survey. This poses a security risk for a simple reason: A lack of support from the manufacturer generally means a lack of security patches. As a result, devices running a legacy OS are easy targets for attackers — in fact, malware attacks on internet-connected devices spiked 123 percent in the first half of 2022, according to research from SonicWall.

“We owe it to the healthcare industry — and to society — to make this a priority and to get this right,” says Karan Sondhi, vice president and CTO for the public sector at Trellix. “When we go to the airport, we expect the airplane to be safe. We should be able to go to the hospital without having to worry about ransomware impacting care delivery.”

Click the banner for access to exclusive HealthTech content and a customized experience.

Why Healthcare Continues to Manage Legacy Systems

Several factors explain why health systems find themselves in this predicament. In the Kaspersky report, organizations cited high costs, compatibility issues and a lack of internal knowledge as the primary reasons for failing to upgrade a legacy OS.  

Meanwhile, HIMSS noted that legacy systems tend to be found on life-critical devices, such as those used to monitor patients in the intensive care unit. Given the importance to patient care, organizations may be unable or unwilling to plan for the obsolescence of these devices.

For these organizations, the most common response is to limit their exposure to the internet, Sondhi says. They may use a local area network and rely on email, but they’re unlikely to host their own web apps or allow patients to download their health records directly from the hospital website. Use of digital health apps is kept to a minimum — patient intake, for example — and ideally, security and administration are left to the vendor.

“That’s the best thing they can do. They’re not trying to secure their websites themselves and not realizing they’re making mistakes,” he says. This is especially valuable advice for smaller practices — a breach or ransomware attack that halts operations for a few weeks could cause enough of a revenue loss to shut the office down for good.

DISCOVER: What healthcare organizations need to know about Windows 11.

Larger health systems may be tempted to try to do more, Sondhi notes. After all, they’re likely investing in advanced technology for a range of use cases, from predicting patient flows and improving clinical workflows to offering virtual visits.  

Unfortunately, layering security on top of those efforts may be more trouble than it’s worth, he says. One reason is the range of cybersecurity threats that healthcare faces — namely, ransomware and phishing in addition to attacks on hardware running a legacy OS.

Another reason is that it’s not core to care delivery. In that sense, organizations should view cybersecurity like parking, catering or laundry and leave it to the experts, Sondhi says. Here, third-party security offerings such as managed detection and response services can help healthcare organizations detect and respond to threats, freeing up internal resources for tasks such as developing security policies and inventorying legacy systems.

“More large institutions in banking and other industries are getting out of the security business,” he says. “When it’s your expertise, you double down. When it’s outside your core expertise, it’s hard to maintain talent and resources, and it’s hard to measure performance because you don’t do it for a living.”

3 Recommendations for Near-Term Healthcare Security Improvement

Five years from now, Sondhi sees two changes in healthcare that will minimize the security impact of legacy systems. One is the continued transition from PCs to tablets, which run mobile operating systems that have a much smaller software footprint than Windows or macOS and therefore require less hard-coded security protections. The other is increased adoption of automation technology for incident detection and response, which will allow large-scale software and OS patches to be done without the involvement of the security operations center (SOC).

In the meantime, Sondhi recommends three steps to help organizations maintain basic security as they move to a more modern infrastructure:

  1. Make the process of updating and patching software easier to manage by reducing the number of software versions and vendors.
  2. Segment networks. “Critical life-support systems should never be connected to the internet. There’s no need to expose yourself to that risk,” he says. Segmentation offers the added benefit of isolating a ransomware attack or other incident.
  3. Document the responsibilities of every SOC role — what tools are used, how work is delivered, and what happens if an IT staffer needs to be replaced on a short- or long-term basis. Creating these workflow diagrams will help the organization write rules for process automation.

“If you invest the time to do the basics, then you’ll be able to do things in a more systematic way in the future,” Sondhi says.

UP NEXT: Understand how to accelerate strategies around Internet of Medical Things devices.

gorodenkoff/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT