The Department of Health and Human Services Office for Civil Rights’ latest cybersecurity newsletter urges covered entities and relevant business associates to review and address the security measures put in place for legacy systems within the enterprise, in light of ongoing threats and risks posed by the use of these technologies.
In an ideal world, healthcare organizations would replace all legacy tech with newer platforms meant to be connected to the internet and supported by the vendor with routine software updates.
However, for a host of reasons, many providers still leverage these technologies for daily operations. And while previous Forescout data showed there was a major push in healthcare to upgrade platforms to Windows 10 in early 2020, 68% of healthcare organizations were still using outdated Windows OS for more than a year.
There’s also been a consistent number of providers operating with even older Windows platforms on their network, like XP, for which Microsoft ended support years ago.
“It’s a clear indication that the problem of legacy devices is going to continue for some time,” Forescout Research Manager Daniel dos Santos, said at the time of the report. “The number of legacy devices is what worries us, year after year. It seems like it’s just going to continue, the percentage of those out-of-band, old versions of Windows.”
According to OCR, there are understandable reasons that providers may choose to continue using these vulnerable technologies. Those reasons include not being able to replace the legacy system without losing the availability or integrity of data or disrupting critical services, or reluctance to replace a fully-functioning system tailored to current business needs.
The entity may also not have the time, funds, or workforce needed to retire and replace the legacy system. Case in point, the Department of Veterans Affairs has been working for years to replace its legacy electronic health records system at great cost, manpower, and other challenges.
Although these are relevant reasons, all covered entities are required under The Health Insurance Portability and Accountability Act to implement safeguards to reasonable and appropriately ensure the protection of all patient health information in their possession.
OCR is concerned that as healthcare entities continue to expand their technological footprint, the devices within their network also expand — as do the cyber threats.
“Many health care organizations rely on legacy systems,” OCR officials wrote. “But despite their common use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked. Legacy systems’ lack of vendor support makes them particularly vulnerable to cyberattacks.”
The OCR newsletter reminds providers of the importance of employing an accurate and up-to-date asset inventory as a starting point for addressing critical processes and data, as well as where the legacy systems reside on the network.
Automation provides an effective way of finding all endpoints and devices within the network. From there, an entity can leverage the inventory information to implement the necessary security measures to reduce risks and vulnerabilities to an appropriate level, another HIPAA requirement.
Specific to legacy systems, providers must identify potential risks and vulnerabilities posed by these systems and the security mitigation steps needed to reduce the risks, within a proposed timeline. This should include the possibility of the possible retirement date for those legacy systems.
Effective mitigation recommendations include upgrading the tech to supported systems or versions, contracting with the vendor or a relevant third party for extended system support, migrating the system to a cloud-based platform, or network segmentation.
Some providers choose to strengthen existing controls or implement compensating controls, which requires the entity to tailor the measures to defend against potential risks and vulnerabilities that were assessed during the inventory review. Possible measures can include enhancing system activity reviews and audit logging, as well as restricting access to legacy systems to only necessary employees.
Further, OCR noted that” if an organization elects to maintain a legacy system, it should review and modify its security measures to ensure the continued protection of its ePHI… [and] consider when the burdens of maintaining a legacy system will outweigh its benefits and plan for the legacy system’s eventual removal and replacement.”
CynergisTek CEO Mac McMillan, recently shared some insights into how security leaders can broach the topic of replacing legacy tech with hospital leadership. While chief information security officers may be programmed to present a classic security narrative, i.e. risk and threat, the conversations should center around cost and impact to business operations.
The goal should be to inform the board why they should care that the device is at risk and what might happen, in terms of cost and operations, if the vulnerability was to be exploited.
Risk can impact HIPAA compliance, finances, and patient safety, explained McMillan. CISOs should identify the unsupported systems and draw the corollary between the problem, the risks, and the impact these systems may have if disrupted.
“HHS and OCR have already said very clearly: anytime there's a breach and it involves an unsupported system, you are automatically guilty because unsupported systems are not compliant and should not be in your environment,” said McMillan.
As such, the CISO should communicate to the board that if there’s a breach and it involves the legacy systems, there will likely be regulatory fines and other related financial harms. McMillan added that if these systems are compromised, there is also a risk to delivering care and potentially patient safety.
Legacy devices pose “operational risks that have both financial and patient safety implications.” With this communication style, a CISO can flip the narrative from the security issue of unsupported systems operating on the network and identified the types of risks the tech represents. The boards are more likely to care because they can see the business impact.
“You have to be more effective in communicating and changing the narrative,” McMillan concluded. “You’re still not going to get everything you want, but you will get more of what you need.”