USA issues cybersecurity warning for older IT systems

The Office for Civil Rights (OCR) of the Department of Health and Human Services advises clinicians to take a closer look at their old IT systems and equipment. On October 29, 2021, OCR warned that these systems could be vulnerable to a cyber attack.

Legacy systems have at least 1 component that has been replaced by newer technology and for which the manufacturer no longer offers support. Despite its widespread use, OCR says that the unique security considerations that apply to legacy systems in a company’s IT environment are often overlooked.

“That warning is long overdue,” said Michael Greenberger, law professor and director of the Center for Health and Homeland Security at the Carey School of Law at the University of Maryland in Baltimore. The HIPAA security rules require affected companies and their business partners to take adequate and appropriate security precautions to protect electronic protected health information (ePHI). These rules apply to the creation of the information, its receipt, maintenance or transmission.

Continue reading

The technological footprint of a healthcare organization is growing daily and OCR wants providers to take the time to identify and evaluate their weak points. The biggest security risk is that legacy systems lack vendor support, which puts them at increased risk of cyberattacks.

“The begging problem is turning into a crisis”

Today, many organizations cannot replace their legacy systems without disrupting critical services or compromising data integrity. For healthcare providers, this can apply to medical devices, electronic health records, and other systems that provide critical services. A doctor’s office may be reluctant to change what technology appears to be working, or to adopt a new and unknown system that can decrease efficiency or lead to more frequent user errors. However, the question of liability can replace these factors.

The OCR notes that many healthcare providers may be reluctant to replace a system that is well tailored to their business models. Another problem is that a doctor’s office legacy systems may not be compatible with newer systems. “It’s a mystery and won’t work out well for those using legacy systems,” said Greenberger. “Someone is held liable for information stolen. It’s just a problem that is crying out to be a crisis. “

Due to the COVID-19 pandemic, many medical practices lack the time, staff, or money to make the necessary IT investments. “There will be liability. It’s like someone with an old car who doesn’t want a new car even though it’s safer. Then they get into an accident and almost lose their life and lose the car. Until then, say the car is fine. Then a crisis happens, ”said Greenberger.

While many factors can contribute to an organization’s decision to continue using a legacy system, it is important that the organization take security into account, especially if the legacy system could be used to access the legacy system to save, create, maintain, receive or transmit it ePHI. The HIPAA security rules require affected organizations and their business partners to accurately and thoroughly assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment. This includes ePHI, which is used by legacy systems.

Asset inventory recommended as a first step

Th OCR recommends an accurate and up-to-date inventory as a useful first step as it can help organizations understand where critical processes, data, and legacy systems reside within their organization. After assessing the potential risks and weaknesses of their ePHI, affected companies and business partners should immediately take the necessary steps to reduce these risks and weaknesses. The OCR recommends mitigating the security risk of a legacy system by upgrading to a supported version or contracting with a provider or third party for extended system support through a cloud-based solution. It is also recommended that the legacy system be removed or disconnected from the internet or organization’s network.

“For better or for worse, private information is published because these systems are so hackable,” said Greenberger. “Of course people won’t step on their feet and make changes, but we are months away from this becoming a necessity as the liabilities become apparent. Insurance companies will tell you they don’t have insurance. “

OCR suggests improving system activity review and audit logging to detect unauthorized activity, paying special attention to security configurations, authentication events, and access to ePHI. Organizations are encouraged to limit access to the legacy system to a reduced number of users and to prevent the legacy system from performing functions or operations that are not strictly necessary.

Edmon Begoli, director of research and development on AI systems at Oak Ridge National Laboratory in Oak Ridge, Tennessee, said aging software written in languages ​​using libraries that are no longer used as widely , represents a maintenance load. In addition, they pose a security risk as older systems are likely to be more easily exploited when it comes to cyberattacks. “While the cyber threat landscape is frightening, following some basic security best practices can have a dramatic positive impact on businesses,” said Begoli.

Security best practices include using anti-virus software, a strong password policy, and performing backups. Other practices to improve security include updating software regularly and using encryption on the data being protected. “We need to ensure that our systems, including data, are properly protected, monitored and patched against vulnerabilities,” said Begoli. “This is even more important with the legacy systems as they probably weren’t built with the same privacy or cybersecurity controls as they are today.”

This article originally appeared on the Kidney and Urology News

Related Articles