Just a few days ago, Beckers Hospital Review reported an email breach at a West Virginia health center that exposed protected health information from more than 3,700 patients. Similar incidents recently occurred at a children’s hospital in Colorado (2,553 patients), a Georgia health department (45,732! people), and at a Virginia-based occupational healthcare provider whose records of mandated medical exams, and drug and alcohol testing reports were exposed.
Sadly, these incidents involving phishing, ransomware and social engineering attacks, should surprise no one. According to the 2020 HIMSS Cybersecurity Survey, these breaches, each of which disrupt IT and business operations and expose US healthcare organizations to enormous financial and legal jeopardy, do not seem to be eliciting the responses required. Feedback from 168 healthcare cybersecurity professionals reveal less than 6% of IT budgets were typically allocated for cybersecurity, unchanged from the previous year.
Worse still, there has been and will continue to be an impact on clinical care as well. Disruptions to systems, damage to devices, and delays in treatment are all potentially fatal to patients.
Unfortunately, we cannot protect information and infrastructure simply by adding money to cybersecurity budgets. As the HIMSS survey observes, there must also be “a reduction in attack surface (to) make it more difficult for threat actors to infiltrate organizations.” It is essential that data be backed up regularly and in particular that the legacy footprint be reduced.
“Legacy systems, like other aging infrastructure, are costly to maintain, and more exposed to cybersecurity risks. Vulnerabilities for legacy systems grow as time goes on. Additionally, exploits are stockpiled as time passes. Legacy systems put data at risk, unless sufficient compensating controls are put into place.”
This is not a hot new insight. Galen made this point last year in our white paper: Healthcare Application Portfolio Management & Decommissioning: Decrease Costs, Increase Agility. We said, “Applications on aging technology that have outlived support are significantly more vulnerable to cybersecurity threats. This is no surprise since many legacy systems are forgotten and therefore do not receive the latest updates, patches, and anti-virus remedies to ensure security.”
Legacy systems taken for granted within an organization are easy preys for bad actors outside. According to HIMSS, 80% of their survey respondents are using legacy systems. Many Windows 7 and Windows Server systems have been sunset by their manufacturers but remain in use as legacy systems. For example, Windows 7 was released in 2009. Still used by nearly half of the healthcare organizations polled, Windows 7 is, as of January 2020, no longer supported by its manufacturer. Legacy systems that run this operating system, and many others, are ripe for attack.
No one should believe that legacy systems can be easily set aside. Despite their vulnerability, they may still be needed in certain circumstances. For example, some mission critical applications can run only on a specific legacy operating system. Or the legacy application may not be portable to a more modern, supported operating system.
In short, every organization must conduct an analysis of its IT portfolio. For some, a simple review of the application portfolio to make certain that it supports mission objectives and captures application operational costs will be sufficient. But more will need to undertake a rigorous evaluation of each application in its portfolio. They will need to make a judgment about the value of their applications to their business strategies. They must determine if their organization has the institutional knowledge to get the most from its applications. And they will have to face the elusive matter of whether their applications’ architecture poses security risks.
Ultimately, each healthcare organization must formulate a risk profile of their application portfolios and rank each of those applications in terms of their functionality, the type of information processed, and its business value. A comprehensive risk assessment will make possible a prudent, cost-effective blueprint for consolidation, remediation or elimination of legacy applications.