Legacy Systems Pose Under-the-Radar Threat to Security, HIMSS Survey Finds

By Jane Anderson

Table of Contents

Email phishing is the most obvious risk facing health care entities as they seek to prevent breaches of protected health information (PHI), but legacy systems still in use are a covert—yet substantial—risk factor.

That’s the word from the 2019 HIMSS Cybersecurity Survey, which found that significant security incidents are a “near universal experience” in U.S. health care organizations. The survey also found that provider organizations are making gains in addressing these threats, says Lorren Pettit, vice president for research at HIMSS.

The survey found that health care organizations continue to experience significant security incidents: only 22% of health care organizations did not experience a breach over the last 12 months, similar to previous surveys the society has done (“Privacy Briefs,” RPP 15, no. 7). The majority of these incidents involved bad actors, and phishing and other email compromise schemes were the most prevalent threats.

However, Pettit warns that phishing may overshadow the threat posed by the expansive use of legacy platforms. “Not only do most organizations have at least one legacy system still in operation, but many organizations are resigned to the fact that they are dependent on these systems because they don’t have the resources to replace [them],” he tells RPP.

Organizations may operate legacy systems for several reasons: there may be no other alternative for the applications involved, workflows might get disrupted during a transition, and upgrading may be extremely costly, Pettit says.

HIMSS found that 86% of hospital respondents had at least one legacy system in place, Pettit says, adding that “this finding is significant as it illuminates the tension between the need to patch and upgrade systems—if they can be patched or upgraded—and the reality that many organizations remain dependent on legacy devices.”

These platforms may still perform their primary function “perfectly within expectations,” Pettit says, but may require additional security controls, such as isolation on their own networks or network segments. The problem isn’t necessarily the fault of security staff, he says. “Rather, it is a cost-benefit analysis and—likely—a wish for the health care organizations not to disrupt patient care and/or protocol.”

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings