Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

Reduce Security Risk of Healthcare Legacy Systems, Devices

HHS OCR: If Old Gear Cannot Be Replaced, Take Other Steps to Protect PHI
Reduce Security Risk of Healthcare Legacy Systems, Devices
Healthcare entities should take steps to secure legacy systems and devices offering critical patient services, says HHS OCR.

Federal regulators are reminding healthcare organizations about the critical importance of addressing security risks involving legacy systems and devices - including specialty software and gear - that are often difficult for entities to replace.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Legacy systems’ lack of vendor support makes them particularly vulnerable to cyberattacks, says the Department of Health and Human Services' Office for Civil Rights in a bulletin issued Friday.

"While many factors may contribute to an organization’s decision to continue to use a legacy system, it is important that the organization include security in its considerations, especially when the legacy system could be used to access, store, create, maintain, receive, or transmit electronic protected health information," HHS OCR writes.

Often organizations are unable to replace legacy systems and devices offering critical services - ranging from electronic medical records to medical devices - without sacrificing availability of data, disrupting critical services or compromising data integrity, HHS OCR notes.

"The organization is reluctant to tinker with technology that appears to be working, or to deploy a new and unfamiliar system that may reduce efficiency or lead to increased user errors," the bulletin says. Other times, entities are resistant to replace systems that are "well-tailored to their business model," or on which other critical systems depend.

"But despite their common use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked."

Unpatched Systems

Ideally, healthcare organizations would only use information systems that are fully patched and up to date, HHS OCR writes. "However, in reality, healthcare organizations must balance competing priorities and obligations" in the decision to continue using legacy IT that is no longer supported by vendors, the bulletin notes.

Unpatched systems are particularly vulnerable to hacking incidents, providing bad actors an opportunity to gain access to and subsequently pivot throughout the healthcare IT environment, some experts warn.

"Once in, the hackers can steal data, deploy malware like spyware or ransomware, install back doors, and engage in all sorts of other malicious activities," says Jon Moore, chief risk officer at privacy and security consultancy Clearwater.

Support Issues

Ongoing vendor support and security patches are a common problem when dealing with legacy systems and devices in healthcare, other experts note.

"The number of systems that healthcare organizations utilize beyond the EMR is extremely high but also often very specialized, where patient care is the focus and not necessarily security controls or integration into a distributed network infrastructure," says Dustin Hutchison, CISO at security consultancy Pondurance.

Also, when a vendor system or operating system-level patch cannot be applied to a patient care system, many healthcare organizations struggle to identify compensating controls to protect the system and data that do not hinder the ability to deliver service to patients, he notes.

Meanwhile, legacy medical devices present additional problems, Moore notes. For instance, if certain devices are supporting critically ill patients, it can be too risky or not possible to deploy agents to the devices or to scan them, "as they might crash," he says.

"This problem led to the development of new medical device discovery and vulnerability management tools that can identify the devices through the information they send and receive," he notes. "These tools were initially expensive and while the cost has come down, organizations are now struggling to find the resources to run the tools effectively and get the hoped-for value from them."

Typically, for legacy medical devices that can’t be patched, the only option is to network segment them, according to Moore. He says that organizations with medical device discovery tools can often do this in an automated fashion but for other organizations, it can be a time-consuming, expensive, manual process, depending upon the number of devices the organization has in service.

Asset Management

An accurate and up-to-date asset inventory is a critical fundamental step that can help organizations understand where critical processes, data and legacy systems reside within their organization, HHS OCR writes.

But many healthcare organizations, especially larger entities, struggle even with that, Hutchison notes.

"A good practice in healthcare is: When you can’t protect the device, look to the network for compensating controls and network visibility."
—Dustin Hutchison, Pondurance

"Asset management is difficult in any organization but when you add the complexity of merger and acquisition growth, and additionally the multitude of systems and devices used in healthcare to support patient care, the problem becomes even more complex," he says.

Hutchison notes that various teams and departments are often supporting biomedical and IT systems, including “shadow IT” or employees that may be primarily focused on patient care but have inherited some level of system administration.

"So a cross functional, multi-facility organization without distinct support teams can definitely run into issues when trying to ensure the asset inventory is updated."

Patient Safety Worries

The HHS OCR bulletin follows recently published analysis by HHS' Health Sector Cybersecurity Coordination Center noting that ransomware and other cyberattacks continue to threaten the U.S. and global healthcare sectors, in part due to many entities' high dependency on legacy systems, as well as a lack of security resources (see Analysis: Top Ransomware Gang Targeting Healthcare Sector).

The risk of adversely affecting a patient directly through a legacy system or device is a definite fear, Hutchison says.

"Healthcare organizations should focus on defense in depth for medical devices that are no longer being supported by the vendor from a security standpoint through network segmentation, appropriate access controls at the network level, and also monitoring and alerting," he says.

"A good practice in healthcare is: When you can’t protect the device, look to the network for compensating controls and network visibility."

Assessing Risk

Sometimes legacy systems are unable to meet the security standards set by an organization, says Kate Borten, president of privacy and security consultancy The Marblehead Group.

As a simple example, password controls should include features such as minimum length, composition and frequency of change, she says. "Systems also should be able to isolate security functions from general 'sys admin' accounts. But legacy systems as well as smaller vendor systems sometimes lack those good security measures and more."

Performing a thorough security risk assessment of each legacy system is critical, Borten says.

"Prioritize identified risks. Implement solutions including creative mitigation strategies - for example, isolate the system, reduce the number of users to a minimum, force stronger passwords - when systems can't be promptly replaced," she says.

Steps to Take

Indeed, if an organization decides to maintain a legacy system, it should strengthen its existing controls or implement compensating controls, HHS OCR writes. Controls to consider include:

  • Enhancing system activity reviews and audit logging to detect unauthorized activity - paying special attention to security configurations, authentication event, and access to ePHI;
  • Restricting access to the legacy system to a minimum number of users;
  • Strengthening authentication requirements and access controls;
  • Restricting the legacy system from performing unnecessary functions or operations;
  • Ensuring that the legacy system is backed up;
  • Developing contingency plans that contemplate a higher likelihood of failure, especially if the legacy system is providing a critical service;
  • Implementing strict firewall rules;
  • Implementing anti-malware solutions.

"It is very difficult to make informed decisions about managing the risk of legacy systems if you are either unaware of the risks or don’t act to treat them effectively," Moore says.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.