In the digital age, healthcare systems hold vast amounts of personal and sensitive data, making them attractive targets for malicious threat actors. These individuals exploit the value of healthcare data to carry out extortion schemes, using the sensitive information they possess as leverage. One of the vulnerabilities in the healthcare sector that exposes it to potential attacks is the reliance on legacy systems.
Legacy systems, which include outdated computing software, hardware, technology, or data systems that are no longer supported by the manufacturer, pose a significant risk to the healthcare industry. Despite Microsoft ending support for Windows 7 in 2020, many people continue to use it, exposing themselves to cybersecurity threats. Legacy devices are more susceptible to exploitation, as they no longer receive system updates that could address vulnerabilities.
Mayurakshi Ray, an advisor to CXOs and a business advisor with over 25 years of experience, has observed the use of legacy devices in the healthcare industry. She notes that the automation required to serve a large number of people is often not considered a top priority. Legacy applications, hardware, and processes are still prevalent in the healthcare sector worldwide. The focus on data privacy, rather than regulatory guidelines, contributes to the persistence of legacy systems in healthcare organizations.
Recognizing the risks associated with legacy systems, the White House has announced a 10-year modernization plan for federal civilian agencies. This plan aims to eliminate legacy devices across the Federal Civilian Executive Branch. Chris DeRusha, Federal CISO and deputy national cyber director for federal cybersecurity, emphasizes the need for such a plan, stating that legacy IT modernization is crucial for securing systems and implementing cybersecurity measures effectively.
The healthcare sector is a prime target for cyberattacks, with over 40% of healthcare data breaches caused by third-party insiders who have advanced permissions. Nearly 94% of organizations work with third-party insiders, highlighting the significant threat landscape if proper precautions are not taken. The compromise of third-party platforms, like the MOVEit file transfer platform, can lead to the exposure of sensitive data from multiple client organizations, including healthcare organizations. This chain of cyberattacks affects millions of individuals and highlights the pressing need for better cybersecurity in the healthcare sector.
Relying on legacy systems in healthcare has several negative consequences. Chuck Young, the Managing Director of Public Affairs at the GAO (U.S. Government Accountability Office), explains that maintaining legacy systems can result in known security vulnerabilities, reduced ability to meet mission needs, difficulty in finding knowledgeable staff, and increased operating costs. Legacy systems have outdated software and hardware, making them incompatible with other software and security updates. They also lack scalability, flexibility, and interoperability, leading to limited resource-sharing and increased power consumption.
The use of legacy systems in healthcare hampers clinician productivity and increases patient stays in hospitals. Outdated technology causes communication delays and incurs annual expenses of $8.3 billion for U.S. hospitals. The migration to modern technology is hindered by a lack of technical knowledge among staff, particularly as experienced IT employees retire or move on from healthcare. Resistance to change by key decision-makers also contributes to the continued reliance on legacy systems.
To address these challenges, healthcare organizations must develop comprehensive risk management plans. Mayurakshi Ray suggests creating a risk inventory of all legacy systems and identifying risks associated with each type or group of legacy systems. It is crucial for healthcare organizations to replace legacy systems with updated versions to ensure cybersecurity. Failure to do so could result in legal action against organizations, as not encrypting devices or using outdated security policies are common HIPAA violations.
In conclusion, the healthcare sector must recognize the risks posed by legacy systems and prioritize their modernization. The use of outdated technology leaves organizations vulnerable to cyberattacks and affects the privacy and security of sensitive patient data. By implementing comprehensive risk management plans and investing in updated systems, healthcare organizations can protect themselves and their patients from the growing threat of cybercrime.