In a recent cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights recently advised HIPAA-covered entities to ensure their legacy IT systems and devices remain secure.
What is a legacy system?
A legacy system is one that contains a mixture of original components and new technology used to replace elements that reached their end-of-life, meaning support has ended and patches are no longer issued to fix vulnerabilities. This opens up the potential non-compliance and data breaches involving valuable PHI.
Still, those working in healthcare and dental may hesitate to upgrade new systems when legacy systems appear to be adequate. For example, a study by Forescout Data showed that while there was a major push to upgrade platforms to Windows 10 in the industry, 68 percent of healthcare organizations continued using an outdated version of Windows for over a year.
The true cost of vulnerability
Often, businesses feel that using what they already have is more cost-effective, but when it comes to cybersecurity, that isn’t the case. Research from Verizon shows that cyberattacks targeted at the healthcare, pharma and biotech industries increased by 58 percent in 2020 with no sign of slowing. In fact, the healthcare industry is the most attacked and the slowest to respond, according to Becker’s Hospital Review.
With an average cost of $7.13 million per breach, according to IBM, data breaches in healthcare carry a larger price tag than other industries. Beyond the financial implications, Becker’s also found that a growing lack of trust in the medical field can be heavily attributed to the spread of misinformation and data breaches.
Protecting your PHI
It is vital that HIPAA-covered entities ensure their systems, software and devices are always up-to-date. If upgrades aren’t an option, the security of legacy systems must be considered and safeguards should be put in place to prevent cyberattacks.
According to the OCR: “The HIPAA Security Rule requires covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment, including ePHI used by legacy systems.”
When you’re busy caring for your patients, you don’t have spare time to ensure every element of your IT is locked down. We can help. For a limited time, we are offering a FREE compliance review to healthcare and dental businesses – just click here.