.st0{fill:#FFFFFF;}

Podcast

Secure Your Legacy – Ep 331 

 November 19, 2021

By  Donna Grindle

Share0
Tweet0
Share0

legacy systems

Use of legacy software and devices plague healthcare. OCR’s recent newsletter focuses on why legacy systems are still used in healthcare organizations and provides guidance on ways to manage the risks of these systems.

 

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Secure Your Legacy – Ep 331

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Upcoming Events:

The HIPAA Boot Camp Virtual Edition Feb 22-24, 2022

Sign up now.

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

More details coming soon…

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Secure Your Legacy

Our entire episode today falls under our “HIPAA Say What!?!

[11:20] OCR’s latest newsletter came out during NCSAM in October. They went with a topic we hadn’t really covered with all our recent topics surrounding the campaign – What about all the legacy devices out there in healthcare?

Fall 2021 OCR Cybersecurity Newsletter

They do lead in with explaining that:

1 – HIPAA requires you to take care of everything around PHI, and

2 – they know that healthcare is bogged down with legacy systems performing a wide variety of required functions.

The HIPAA Security Rule requires covered entities and their business associates to implement safeguards that reasonably and appropriately secure the electronic protected health information (ePHI) that these organizations create, receive, maintain, or transmit. As health care entities’ technological footprint grows, the number of systems these organizations need to identify, assess, and maintain grows as well. Many health care organizations rely on legacy systems, which is a term for an information system with one or more components that have been supplanted by newer technology and for which the manufacturer is no longer offering support. But despite their common use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked.Fall 2021 OCR Cybersecurity Newsletter

Why do we deal with this in the first place? Many people who aren’t around healthcare as long as we have been have not seen things progress and how expensive devices can be. Equipment is used to diagnose life and death issues on a regular basis. If you can’t trust the devices then you can’t use them to help care for your patients. Vendors have built medical and other devices without security in mind for decades. Many times the software that runs the devices can not be updated. Upgrading the software or installing security patches can no longer guarantee the device will provide accurate diagnostics, function properly or function at all.

[17:15] That is one reason medical devices are one of the 5 threats HICP is concerned about mitigating. The other reason is people completely forget they need to be secured. If there isn’t normal computer work done on it, then many people just assume somehow there is not a potential for a problem. We hear things like:

  • It doesn’t connect to the EHR.
  • We don’t do email on it.
  • I’m sure it is secure.
  • We don’t touch that at all.

Let’s just say none of those are good reasons to forget your devices when securing them. Here are the reasons OCR included in the list of reasons they know that legacy systems are in use:

  • The organization may not be able to replace the legacy system without sacrificing availability of data, disrupting critical services, or compromising data integrity. For health care providers, this can apply to medical devices, electronic health records, and other systems offering critical services.

This is what we just talked about – there is so much happening and the vendors say “if you touch anything it will stop working.”

  • The organization is reluctant to tinker with technology that appears to be working, or to deploy a new and unfamiliar system that may reduce efficiency or lead to increased user errors.

The familiar “if it ain’t broke don’t fix it syndrome”.

  • The organization is reluctant to replace a system that is well-tailored to its business model, or with which it has a high degree of competence.

The new models or the new versions will no longer work the way they currently are. To use the latest and greatest version of the software or device, it might cause the organization to have to change their workflow.

  • The organization’s other systems depend on the legacy system or are incompatible with newer systems.

This is the domino effect. We can’t upgrade part A because of something else, which means we also can’t upgrade Part B because it must be able to work with Part A.

  • The organization is unable to dedicate the time, funds, or human resources needed to retire and replace the legacy system.

Here is a big one. There is no money, time, or resources that can make it happen. It is a HUGE problem and it is only getting worse.

While many factors may contribute to an organization’s decision to continue to use a legacy system, it is important that the organization include security in its considerations, especially when the legacy system could be used to access, store, create, maintain, receive, or transmit ePHI.Fall 2021 OCR Cybersecurity Newsletter
[25:05] So what do you do?

Do your risk analysis of the vulnerabilities created by the legacy systems, so you can understand how serious the problem poses to your organization. Then, compare that to the price of retiring the device. Finally, either replace these systems OR find a way to secure them until you can.

Ways you can address vulnerabilities include (but are not limited to):

Segmentation. We need to do more of this anyway. Just go ahead and segment anything that is considered legacy or soon to be legacy systems. Take them as close to zero trust as possible.

Restrict access to the device. Clients who have old servers with old EHRs on them – one of the major issues we run into – go to great lengths to set them up in locked rooms with limited access by individuals to the room and only one or two logins active and with the device not connected to any network. As close to air gapped as possible, but not to the James Bond level. Oh, and passwords that are 15 characters or longer. 2FA, if possible.

Limited functions. While you are considering those two options, you can also make the device only be used for very limited uses. Remove all functionality from the device except the parts you must have to function.

Plan for failure. These things will die some day. Assume that will happen in one hour. That is how you must operate every single day you have the devices in place. At any minute, they will stop working or be attacked. Have a plan for both and think about that every single day.

Of course, the newsletter from OCR states these things in their way. So, listen to the episode to hear even more.

OCR closes their newsletter out with this:

When a system is nearing legacy status (or is already a legacy system) organizations should assess the specific security risks associated with those systems. If an organization elects to maintain a legacy system, it should review and modify its security measures to ensure the continued protection of its ePHI. Finally, organizations should consider when the burdens of maintaining a legacy system will outweigh its benefits and plan for the legacy system’s eventual removal and replacement.Fall 2021 OCR Cybersecurity Newsletter

At some point, you will reach the point of diminishing returns.

Go to top

Healthcare is not the only industry where legacy systems and software are still being used. All organizations should do a risk analysis to determine where legacy systems may be present and understand the risk it presents. Upgrading or replacing equipment or systems is not always the only option. Securing these systems should be a priority, though.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

 

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: