Addressing Legacy Systems in Healthcare Settings
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule requires covered entities and their business associates to implement administrative, technical, and physical safeguards that reasonably and appropriately secure the electronic protected health information (“ePHI”) that these organizations create, receive, maintain, or transmit. Currently, many healthcare organizations rely on legacy systems –outdated systems with one or more of their components displaced by newer versions, considered End of Life (“EoL”) by the manufacturer. The security complications and implications related to legacy systems within a healthcare organization’s environment are often overlooked, potentially violating the HIPAA Security Rule as they may not provide “reasonable and appropriate safeguards” to secure ePHI.
To start, legacy systems pose a significant risk and are vulnerable to cyberattacks. As such, they must be managed to address the risks and to ensure resilience. The HIPAA Security Rule requires covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment, including ePHI used by legacy systems. The Department of Health and Human Services (“HHS”) website contains a useful Security Risk Assessment Tool to assist organizations in performing such risk assessment.
With cyberattacks on the rise, organizations must mitigate legacy systems as a security risk by adopting some of the following strategies to ensure compliance:
- Upgrading to a supported version or system
- Contracting with the vendor for extended support
- Migrating to a different system or solution
- Switching to a cloud-based solution
- Removing the legacy system from the internet or network
- Maintaining the legacy system by strengthening existing controls or implementing compensating controls
Strengthening or adopting some additional controls regardless of the systems in the environment—new or legacy—will reduce risk to the organization. Examples of additional controls include:
- Enhancing system activity reviews and audit logging
- Segmenting the network and connecting only required and approved devices
- Restricting access to a reduced number of users
- Strengthening authentication requirements through the use of two-factor authentication (2FA) or multifactor authentication (MFA) where possible
- Restricting the legacy system from performing unnecessary functions
- Ensuring the system has functioning and redundant back-ups along with aggressive firewall rules
- Using fully licensed and supported anti-malware solutions
While it is ideal for every organization to operate on a fully patched system with the most recent version of software and hardware, implementation of a fully up-to-date system that addresses all vulnerabilities remains a challenge in practice, and healthcare organizations continue to use legacy systems for critical services for many reasons. Significant challenges for healthcare organizations include the lack of time to maintain and secure the systems and the lack of financial resources needed to replace the system at any given moment.
An organization must include security risks when balancing competing priorities and interests in its decision to continue to use a legacy system. While maintenance of a fully patched system may be costly, leaving legacy systems in place carries legal as well as financial risks. This is essential when the legacy system is used to access, store, create, maintain, receive, or transmit ePHI. Legacy systems lacking vendor support expose data vulnerable to cyberattacks, potentially compromising data confidentiality, integrity, and availability in the environment. Covered entities and business associates alike can be directly liable and subject to fines of up to $50,000 per violation for noncompliance.
Conducting an inventory of current hardware and software to identify and track the dates for legacy status should be a priority for any organization. In advance of a system nearing legacy status, organizations should assess or seek guidance on their specific security risks and develop a strategy with a timeline to upgrade or migrate to a current system. Lastly, the organization must create a comprehensive, focused plan subject to periodic review and update, to maintain the legacy system to ensure the continued protection of ePHI and the proposed timeline, including the legacy system’s ultimate retirement and replacement.
The views and opinions expressed in the article represent the view of the author and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is intended to be a substitute for professional legal advice.