If there’s anything you can usually count on in cybersecurity circles, it’s annual reports about healthcare data breaches happening more frequently and increasing in severity. That’s why mixed news about healthcare data security after the first half of 2023 showed a refreshing glimmer of hope. Although reported breaches were larger in scope, the total projected number of healthcare breaches for the year was the lowest since 2019.
But what a difference one quarter makes.
Breaches in 2023 are now expected to double last year’s total. Almost 89 million people in the U.S. were impacted by healthcare data breaches through mid-October, an increase from 43.5 million at the same point in 2022.
The possibility of experiencing a breach is an omnipresent threat for both healthcare organizations and patients, and lack of preparedness on the part of the former is a liability in today’s digital- and data-driven world. Healthcare leaders cannot assume their organization’s data is safe. It’s not. This is especially true for data residing in legacy systems.
The age of legacy systems is a threat to healthcare cyber security
Legacy technology (e.g., devices, hardware, applications, and operating systems) represents the third-biggest security challenge for healthcare cyber security programs. Legacy software in particular is the initial point of compromise 15% of the time.
Why do legacy systems and technologies pose such a significant threat?
Because they’re old, obsolete, and outdated. Too often, healthcare leaders and staff become dependent on operating systems that aren’t updated in a timely fashion. But manufacturers don’t often support legacy technology, meaning healthcare data security patches and other upgrades simply aren’t available. This can happen with legacy medical devices, electronic health records, apps, enterprise resource management solutions, and much more. Without these critical upgrades and patches, organizations that continue to use these systems and technologies become extremely vulnerable to data breaches. Attackers can easily exploit vulnerabilities to gain unauthorized access.
Another reason legacy systems and technologies pose a challenge? They may have outdated or old open-source code, making it difficult for IT staff trained in newer technologies to identify and address vulnerabilities to promote data security.
Organizations need solutions to keep up with new features & compliance
The barriers that legacy technologies pose to effective data management in healthcare unfortunately don’t stop there. Legacy systems weren’t developed with healthcare cyber security and the latest threats in mind, thus they’re not usually compatible with newer security features. And there are many new, critical tools that are essential to a top-notch security operation, including:
- Advanced encryption, or using multiple rounds of encryption on smaller blocks of information to provide added security
- 24/7 system monitoring, or the ability of real-time monitoring to swiftly identify and contain threats around the clock
- Role-based access, or the ability to give users access to different parts of the network based on their assigned roles
- Single sign-on, a centralized approach to authentication and authorization that reduces the number of necessary passwords and thus the likelihood of weak passwords
- Multi-factor authentication, or the ability to grant access after a user presents two or more pieces of evidence to confirm their identity
In addition, legacy systems may not comply with current regulations for protecting patient data, like creating advanced audit trails and reports. Or in some cases, audit trails and logs could be in a proprietary format that no one can access or analyze. These assets could otherwise provide valuable insights that organizations can use to promote healthcare cyber security. This inability to monitor actions is particularly problematic when legacy systems and technologies are connected to the internet as well as an internal corporate network. If a hacker exploits a legacy system or technology without triggering any alerts or logs, they can access valuable data – and potentially remain undetected for lengthy periods of time.
How archiving mitigates risk & improves data management in healthcare
Here’s the bottom line: Legacy systems continue to pose a threat even despite an organization’s best efforts to promote healthcare cyber security. In a recent cybersecurity newsletter, the Office for Civil Rights (OCR) reminds healthcare providers of the importance of maintaining healthcare data security—particularly around managing the security risk of legacy systems.
The good news? There is an effective strategy to mitigate security risk: healthcare data archiving. Here are four ways in which data management in healthcare benefits from archiving:
- Data is stored securely in a safe cloud-based location with better access controls to protect against data breaches.
- Archiving contributes to a strong data governance strategy that helps providers meet compliance and regulatory standards while simultaneously promoting business continuity.
- Archiving facilitates data migration onto more secure systems, helping healthcare providers preserve and protect sensitive data in the long run.
- Archiving data to a cloud-based solution reduces the overall surface of attack and exposure, allowing cyber security resources to be re-deployed elsewhere. This is particularly beneficial from a financial perspective. According to the 2022 HIMSS Healthcare Cybersecurity Survey, budget is the second-highest barrier to robust cyber security (behind inadequate cyber security staff), cited by 50% of respondents.
During a time when healthcare cyber security continues to evolve, why increase risk by continuing to rely on legacy systems and technologies? It’s completely unnecessary. The disadvantages of using those antiquated systems far outweigh any perceived advantages. Instead, it’s time to let go of old technology and embrace innovative solutions that promote healthcare data security. Archiving is the answer. Contact Olah today to learn how we can help.
