If HIPAA applies to your Plan, and you handle Protected Health Information (PHI), consider a “winterization” of your software systems. If you have a legacy system, considering strengthening or replacing it with more secure software.
What is a “legacy system” you ask? It’s something the Office of Civil Rights (OCR) wants you to know. The Autumn 2021 OCR Newsletter suggests strategies to keep PHI safe within such systems.
A legacy system is one that is no longer being supported by its manufacturer. A classic example is Windows 7 (which Microsoft stopped supporting in January 2020). The HIPAA Security Rule does not require a Plan to stop using a legacy system, but does require it to manage the added risk of continued use.
Strategies for mitigating risk include:
- Upgrading to a supported version or system.
- Contracting with the vendor or a third party for extended system support, or migrating the system to a supported cloud-based solution.
- Removing or segregating the legacy system from the internet or from the organization’s network.
- Maintaining the legacy system, but strengthening existing controls or implementing compensating controls.
Plan actions (Examples):
- Enhance system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI.
- Restrict access to the legacy system to fewer users.
- Strengthen authentication requirements and access controls.
- Restrict the legacy system from performing unnecessary functions or operations (e.g., by removing or disabling unnecessary software and services).
- Ensure that the legacy system is backed-up – especially if strengthened or compensating controls impact prior backup solutions.
- Develop contingency plans that contemplate a higher likelihood of failure, especially if the legacy system is providing a critical service.
- Implement aggressive firewall rules.
- Implement supported anti-malware solutions.