OCR Cybersecurity Newsletter Addresses Security of Legacy Computer Systems

OCR’s Fall 2021 cybersecurity newsletter addresses the importance of securing legacy computer systems—that is, systems with one or more components that have been supplanted by newer technology and are no longer supported by the manufacturer. According to OCR, all organizations ideally would use only systems that are fully patched and up-to-date, but many factors explain why health organizations continue to use legacy systems, including data and service disruptions triggered by replacement; reluctance to tinker with technology that seems to be working, is well-tailored to an organization’s business model, or is familiar to the organization; dependence of other systems on the legacy systems; or lack of resources needed to retire and replace the legacy systems. Although many factors may contribute to the retention of legacy systems, OCR emphasizes the importance of security considerations, especially for legacy systems accessing, creating, maintaining, receiving, or transmitting protected health information (PHI).

Noting that legacy systems’ lack of manufacturer support makes them particularly vulnerable to cyberattacks, OCR stresses that legacy systems must be included in an organization’s HIPAA risk assessment, which means identifying the potential risks and vulnerabilities to PHI posed by those systems, the security measures the organization will take to reduce those potential risks and vulnerabilities, and the proposed timeline, including (if possible) the legacy system’s ultimate retirement date. Mitigating security risk may entail upgrading to a supported version or system; contracting with a third party for extended system support; migrating to a cloud-based solution; removing or segregating the legacy system from the internet or the organization’s network; or strengthening existing controls or implementing compensating controls. OCR provides examples of strengthened or compensating controls, such as enhancing system activity reviews and access controls; tightening access to legacy systems; disabling unnecessary software and functions; developing contingency plans that contemplate a higher likelihood of failure; ensuring that data is backed up; and implementing aggressive firewalls and supported anti-malware solutions. Moreover, organizations should consider when the burdens of maintaining legacy systems outweigh the benefits and plan for the legacy system’s eventual removal and replacement.

EBIA Comment: OCR has often focused on the importance of patching software to comply with the HIPAA security rule (for example, see our Checkpoint article on OCR’s June 2018 newsletter). Therefore, it is reassuring to see the pragmatic approach in this newsletter—recognizing situations in which legacy systems are necessary and providing practical guidance on mitigating risks in those situations. Covered entities and business associates that rely on legacy systems may wish to review their risk assessments and related HIPAA policies and procedures in light of the information provided in the newsletter. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXIX.E (“Developing Your Security Program”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 7/7/2021).

Contributing Editors: EBIA Staff.