October is Cybersecurity Awareness Month
Each week this month we will take on a new cybersecurity subject and ask our experts in the healthcare industry to weigh in.
Week 2: Updating Legacy Systems
According to a Maryville University paper on Healthcare Cybersecurity Challenges, updating legacy systems can minimize vulnerabilities for cyberattacks, providing “back-door entry” for cybercriminals to access systems that hold personal and medical data.
Shawn Fergason, Senior Vice President of Information Technology and Technology Services, MediQuant
X: @MediQuantLLC
Data silos are a reality among outdated legacy applications. Hospitals and clinical systems are running hundreds, sometimes thousands, of applications simultaneously that could be vulnerable to attacks. Inadequate access controls and weak authentication mechanisms create exploitable security vulnerabilities and opportunities for accidental data leaks. The severity of healthcare data breaches can’t be overstated, as they have the potential to lead to identity theft, financial fraud, and reputational damage to healthcare organizations. When it comes to the protection of confidential patient information, secure healthcare data archiving is essential and should be a critical component of an organization’s cybersecurity program. In addition to other measures, data archiving can shore up vulnerabilities by decommissioning applications and software that are not being supported, monitored, and patched regularly. Several effective tactics that healthcare organizations can use to secure their data archives and protect themselves and their patients from a breach include: educate and train employees on data security challenges; commit to a holistic cybersecurity framework to ensure best practices are followed while significantly reducing cybersecurity risk; and perform supply chain assessments to considers risks brought about by external parties.
Russell Teague, Vice President, Advisory Services & Threat Operations, Fortified Health Security
X: @FortifiedHITSec
Legacy and End of Life (EOL) systems are a major risk in any organization. One sector more than all others, healthcare, leverages more legacy technology given the dynamics across both the IT Tech Stack and the Operational Tech Stack (connected medical devices or IoMT). Reducing vulnerabilities within your organization will reduce your risk of cybercriminals gaining access. If you cannot patch your systems and reduce the risk from known vulnerabilities, then you can segment those technologies into smaller network segments to reduce the attack surface and reduce the impact if a compromise or exploit of a known vulnerability was to occur. Systems that store, process, transmit or interact with personal identifiable information or protected health information should be known and protected differently than those assets that do not directly interact with sensitive information. Risk Classification and Categorization are key elements to any robust cybersecurity program.
David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
X: @DavidSFinn
No sector has more legacy systems than healthcare. This creates a very dangerous situation for many providers. Outdated software (and even hardware in many situations) represent easy pickings for attackers. Keeping systems current and up to date should be a fundamental act of cyber hygiene. Unfortunately, it is not always possible to do so, particularly in the world of IoMT and IoT (medical devices and other facilities-based system like HVAC, point-of-sale systems, internet-connected vending machines). There is never enough funding, time, or human resources to replace systems that are still functional, but you must continually assess risk on legacy systems – – and remediate as possible. Remove unused systems and applications, implement policies and rules to help govern legacy systems in a more secure fashion. Remember, too, that modernizing legacy systems may allow you to improve functionality and save money on day-to-day operations, technical support, and maintenance. Work with your users to build a business case for replacing legacy systems that present risk that is unacceptable to the organization.
Karthik Kanakaraj, Enterprise Architect, HSBlox
In practical terms, there exist multiple benefits in updating legacy healthcare systems to tackle cybersecurity challenges. Updating enhances the healthcare system’s security standards by implementing modern security protocols and features, reducing the vulnerability to cyberattacks. Also, it ensures compliance with evolving healthcare data protection regulations to safeguard patient information, and prevent potential legal and financial consequences. Lastly, the enhancements to interoperability facilitate seamless data sharing among healthcare providers, resulting in improved patient care and overall system efficiency, which perfectly align with the objectives promoted by the Trusted Exchange Framework and Common Agreement (TEFCA) guidelines and standards.
Rick Passero, Chief Information Security Officer, Anatomy IT
Legacy systems not only pose greater cybersecurity risks through their widely recognized set of software vulnerabilities, but they also add to healthcare organizations’ costs in other ways. End-of-life hardware and software, for example, have come under scrutiny by cybersecurity insurance companies, and many are denying coverage to healthcare organizations or charging enormous premiums if the technology is not replaced. Most organizations are determining that with the inherent vulnerabilities, insurance costs and higher maintenance and repair expenses, upgrading legacy equipment is the most cost-effective course.
Wes Wright, Chief Healthcare Officer, Ordr
X: @ordrofthings
Legacy systems are found in almost all healthcare organizations. One would think it’s mostly because of tight budgets/resources, since there is no money to replace high-value capital equipment simply based on an obsolete operating system, or end of manufacturer support in favor of a new model. That’s not always the case. Healthcare is a heavy proponent of the “if it ain’t broke, don’t fix it” mentality. There are just too many other broken things to fix to give any attention to things that aren’t broken. And unlike other industries, the “power base” in healthcare is extremely dispersed; a cardiac surgeon who brings in $30M to an organization can pretty much run the system she was running right out of her fellowship 20 years ago. Unfortunately, these legacy devices then become more vulnerable to attacks from cybercriminals as they age. That presents a challenge to a hospital’s healthcare technology management (HTM) team working to protect their organization.
What’s an HTM to do? We need to go old school, but that doesn’t mean we have to use old tools. Nowadays there are some great tools that utilize AI to help by first finding those legacy systems, then to know if they have any vulnerabilities and who they’re talking with, and finally, isolate them from the rest of your resources—put barriers between them, your other stuff, and threat actors. Now, with the right tools, you can do what used to take years in about a month, no kidding.
We’ve been talking about doing something about Legacy systems since I started in HTM 30 years ago. It took me ten years to realize no matter how much I ranted about the vulnerability of that cardiac surgeon’s system, they were going to let her run it (understandable). It’s better not to go through that frustration when you have tools out there that will, unbelievably, let you “have your cake and eat it too!” We have the technology; we can make it better.
Zandy McAllister, Virtual Chief Information Security Officer, Anatomy IT
Replacing legacy systems can be a difficult cultural issue to navigate because many healthcare administrative executives and physician leaders do not see the value in replacing equipment that is operational, in-demand and generating consistent reimbursable services. Changing this culture requires educating leadership regarding vulnerabilities in the equipment’s software and explanations of the backdoor entry points that threat actors exploit to ultimately gain access to the organization’s network and data. Sharing examples of how the same or similar equipment was compromised at other organizations, or demonstrating how a motivated threat actor would gain access, may help drive those important lessons home.