Why Healthcare Continues to Manage Legacy Systems
Several factors explain why health systems find themselves in this predicament. In the Kaspersky report, organizations cited high costs, compatibility issues and a lack of internal knowledge as the primary reasons for failing to upgrade a legacy OS.
Meanwhile, HIMSS noted that legacy systems tend to be found on life-critical devices, such as those used to monitor patients in the intensive care unit. Given the importance to patient care, organizations may be unable or unwilling to plan for the obsolescence of these devices.
For these organizations, the most common response is to limit their exposure to the internet, Sondhi says. They may use a local area network and rely on email, but they’re unlikely to host their own web apps or allow patients to download their health records directly from the hospital website. Use of digital health apps is kept to a minimum — patient intake, for example — and ideally, security and administration are left to the vendor.
“That’s the best thing they can do. They’re not trying to secure their websites themselves and not realizing they’re making mistakes,” he says. This is especially valuable advice for smaller practices — a breach or ransomware attack that halts operations for a few weeks could cause enough of a revenue loss to shut the office down for good.
Larger health systems may be tempted to try to do more, Sondhi notes. After all, they’re likely investing in advanced technology for a range of use cases, from predicting patient flows and improving clinical workflows to offering virtual visits.
Unfortunately, layering security on top of those efforts may be more trouble than it’s worth, he says. One reason is the range of cybersecurity threats that healthcare faces — namely, ransomware and phishing in addition to attacks on hardware running a legacy OS.
Another reason is that it’s not core to care delivery. In that sense, organizations should view cybersecurity like parking, catering or laundry and leave it to the experts, Sondhi says. Here, third-party security offerings such as managed detection and response services can help healthcare organizations detect and respond to threats, freeing up internal resources for tasks such as developing security policies and inventorying legacy systems.
“More large institutions in banking and other industries are getting out of the security business,” he says. “When it’s your expertise, you double down. When it’s outside your core expertise, it’s hard to maintain talent and resources, and it’s hard to measure performance because you don’t do it for a living.”
3 Recommendations for Near-Term Healthcare Security Improvement
Five years from now, Sondhi sees two changes in healthcare that will minimize the security impact of legacy systems. One is the continued transition from PCs to tablets, which run mobile operating systems that have a much smaller software footprint than Windows or macOS and therefore require less hard-coded security protections. The other is increased adoption of automation technology for incident detection and response, which will allow large-scale software and OS patches to be done without the involvement of the security operations center (SOC).
In the meantime, Sondhi recommends three steps to help organizations maintain basic security as they move to a more modern infrastructure:
- Make the process of updating and patching software easier to manage by reducing the number of software versions and vendors.
- Segment networks. “Critical life-support systems should never be connected to the internet. There’s no need to expose yourself to that risk,” he says. Segmentation offers the added benefit of isolating a ransomware attack or other incident.
- Document the responsibilities of every SOC role — what tools are used, how work is delivered, and what happens if an IT staffer needs to be replaced on a short- or long-term basis. Creating these workflow diagrams will help the organization write rules for process automation.
“If you invest the time to do the basics, then you’ll be able to do things in a more systematic way in the future,” Sondhi says.