Upgrade your Legacy Systems for Strengthened Cybersecurity

If HIPAA applies to your Plan, and you handle Protected Health Information (PHI), consider a “winterization” of your software systems. If you have a legacy system, considering strengthening or replacing it with more secure software.

What is a “legacy system” you ask? It’s something the Office of Civil Rights (OCR) wants you to know. The Autumn 2021 OCR Newsletter suggests strategies to keep PHI safe within such systems.

A legacy system is one that is no longer being supported by its manufacturer.  A classic example is Windows 7 (which Microsoft stopped supporting in January 2020).  The HIPAA Security Rule does not require a Plan to stop using a legacy system, but does require it to manage the added risk of continued use.

Strategies for mitigating risk include:

  • Upgrading to a supported version or system.
  • Contracting with the vendor or a third party for extended system support, or migrating the system to a supported cloud-based solution.
  • Removing or segregating the legacy system from the internet or from the organization’s network.
  • Maintaining the legacy system, but strengthening existing controls or implementing compensating controls.

Plan actions (Examples):

  • Enhance system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI.
  • Restrict access to the legacy system to fewer users.
  • Strengthen authentication requirements and access controls.
  • Restrict the legacy system from performing unnecessary functions or operations (e.g., by removing or disabling unnecessary software and services).
  • Ensure that the legacy system is backed-up – especially if strengthened or compensating controls impact prior backup solutions.
  • Develop contingency plans that contemplate a higher likelihood of failure, especially if the legacy system is providing a critical service.
  • Implement aggressive firewall rules.
  • Implement supported anti-malware solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *