Securing Legacy Systems and Devices for HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights has informed HIPAA-covered entities to evaluate the security of their legacy IT programs and devices.

A legacy system refers to any system that includes one or more parts that were replaced by more recent technology and hit end-of-life. Whenever software programs and devices hit end-of-life, support also ends, and there will be no more patches issued to resolve identified vulnerabilities. That’s why legacy systems and devices are prone to cyberattacks.

Healthcare companies must be mindful of the date when support won’t be available. They must develop a plan to change obsolete software programs and devices; nonetheless, there are usually legitimate reasons for still using legacy systems and products.

Legacy systems could still function well and be customized to a company’s business design, therefore there may be an unwillingness to switch to current systems that have support. Changing to a current system might necessitate time, money, and human assets that aren’t readily available, or it might mean that replacing a legacy system would disrupt critical services, affect information integrity, or make ePHI inaccessible.

HIPAA-covered entities must make sure that all software programs, systems, and gadgets are always patched and updated, however in healthcare, there are usually competing goals and commitments. When the choice is made to keep on utilizing legacy systems and devices, it is crucial to consider security and implement safeguards to make sure that those systems and gadgets won’t be hacked. That is particularly crucial when it’s possible to use legacy systems and devices to access, hold, create, retain, receive, or transfer electronic protected health information (ePHI).

Continuing to use legacy software and devices does not violate HIPAA Rules, as long as compensating controls are put in place to make sure ePHI is secured. If security considerations are overlooked when using legacy systems, that is a violation of the HIPAA Rules.

There are many legacy systems used in the healthcare field that need protection. Healthcare companies should have complete knowledge of the legacy systems that are used in their company. If the IT team is not aware of the use of legacy systems, there won’t be compensating controls implemented to make sure they are properly secured.

It is important to create a detailed inventory that lists all legacy systems and devices and to do a security risk analysis on every system and device. It is required by the HIPAA Security Rule that covered entities and their business associates should perform a correct and complete evaluation of the likely risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI, which include ePHI found in legacy systems.

Risks should be determined, prioritized, and addressed to minimize them to a low and tolerable level. Mitigations consist of updating to a supported system or version, getting a vendor that offers extended support, moving the system to a secured cloud-based option, or separating the system from the network.

When HIPAA-covered entities decide to keep a legacy system, current security controls must be toughened, or compensating controls must be applied. OCR states consideration must be given to the problems of upkeep, as they may offset the advantages of continually using the legacy system and there must be plans to eventually remove and replace the legacy system.

For the time being, OCR recommends these controls to enhance security:

  • Improve system activity checks and audit recording to identify unauthorized activity, with particular attention given to security settings, authentication events, and ePHI access.
  • Limit legacy system access to a small number of users.
  • Reinforce authentication prerequisites and access controls.
  • Limit the legacy system from executing functions or actions that aren’t really essential
  • Make certain to perform backups of the legacy system, particularly when improved or compensating controls affect previous backup solutions.
  • Create contingency plans that take into account a higher probability of failure.
  • Carry out aggressive firewall regulations.
  • Use secure anti-malware programs.