OCR Cybersecurity Newsletter: Securing Your Legacy [System Security] October is Cyber Security Awareness Month and a great time for organizations to revisit the protections they have in place for their legacy systems. Health care organizations rely on many technical systems to deliver their services. The HIPAA Security Rule1 requires covered entities and their business associates to implement safeguards that reasonably and appropriately secure the electronic protected health information (ePHI) that these organizations create, receive, maintain, or transmit. As health care entities’ technological footprint grows, the number of systems these organizations need to identify, assess, and maintain grows as well. Many health care organizations rely on legacy systems, which is a term for an information system with one or more components that have been supplanted by newer technology and for which the manufacturer is no longer offering support. But despite their common use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked. Ideally, all organizations would only use information systems that are fully patched and up to date. However, in reality, health care organizations must balance competing priorities and obligations. There are many reasons why a health care organization may elect to keep using a legacy system, such as: The organization may not be able to replace the legacy system without sacrificing availability of data, disrupting critical services, or compromising data integrity. For health care providers, this can apply to medical devices, electronic health records, and other systems offering critical services. The organization is reluctant to tinker with technology that appears to be working, or to deploy a new and unfamiliar system that may reduce efficiency or lead to increased user errors. The organization is reluctant to replace a system that is well-tailored to its business model, or with which it has a high degree of competence. The organization’s other systems depend on the legacy system or are incompatible with newer systems. The organization is unable to dedicate the time, funds, or human resources needed to retire and replace the legacy system. While many factors may contribute to an organization’s decision to continue to use a legacy system, it is important that the organization include security in its considerations, especially when the legacy system could be used to access, store, create, maintain, receive, or transmit ePHI. Managing the Security Risk of Legacy Systems Legacy systems’ lack of vendor support makes them particularly vulnerable to cyberattacks. The HIPAA Security Rule requires covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment, including ePHI used by legacy systems.2 An accurate and up-to-date asset inventory is a useful first step because it can help organizations understand where critical processes, data, and legacy systems reside within their organization.3 After assessing the potential risks and vulnerabilities to their ePHI, covered entities and business associates must implement security measures to reduce those risks and vulnerabilities to a reasonable and appropriate level as part of their risk management.4 For legacy systems, this means identifying the potential risks and vulnerabilities to ePHI posed by those systems, the security measures the organization will take to reduce those potential risks and vulnerabilities, and the proposed timeline, including (if possible) the legacy system’s ultimate retirement date. Organizations often elect one or more of the following strategies to mitigate a legacy system’s security risk: Upgrade to a supported version or system. Contract with the vendor or a third party for extended system support or migrate the system to a supported cloud-based solution. Remove or segregate the legacy system from the internet or from the organization’s network. Maintain the legacy system, but strengthen existing controls or implement compensating controls. If an organization elects to maintain a legacy system and strengthen its existing controls, or implement compensating controls, those controls should be tailored to the potential risks and vulnerabilities identified with the legacy system. Such controls may include: Enhancing system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI.5 Restricting access to the legacy system to a reduced number of users.6 Strengthening authentication requirements and access controls.7 Restricting the legacy system from performing functions or operations that are not strictly necessary (e.g., by removing or disabling unnecessary software and services). Ensuring that the legacy system is backed-up – especially if strengthened or compensating controls impact prior backup solutions.8 Developing contingency plans that contemplate a higher likelihood of failure, especially if the legacy system is providing a critical service.9 Implementing aggressive firewall rules. Implementing supported anti-malware solutions. In addition to implementing safeguards required by the HIPAA Security Rule, covered entities and business associates are also required to review and modify their security measures to ensure the continued protection of their ePHI.10 When a system is nearing legacy status (or is already a legacy system) organizations should assess the specific security risks associated with those systems. If an organization elects to maintain a legacy system, it should review and modify its security measures to ensure the continued protection of its ePHI. Finally, organizations should consider when the burdens of maintaining a legacy system will outweigh its benefits and plan for the legacy system’s eventual removal and replacement. Additional Resources NIST Special Publication 800-70 Revision 4: National Checklist Program for IT Products – Guidelines for Checklist Users and Developershttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-70r4.pdf NIST Special Publication 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations https://www.nccoe.nist.gov/sites/default/files/library/sp1800/hit-wip-nist-sp1800-8.pdf NIST Special Publication 1800-24: Securing Picture Archiving and Communication System (PACS)https://www.nccoe.nist.gov/sites/default/files/library/sp1800/hit-pacs-nist-sp1800-24-draft.pdf Health Care Industry Cybersecurity Task Force, Report on Improving Cybersecurity in the Healthcare Industry 2017 https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf * This document is not a final agency action, does not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion. 1. OCR administers and enforces the HIPAA Privacy, Breach Notification, and Security Rules at 45 CFR Part 160 and Part 164 Subparts A, C, D and E. The Security Rule establishes national standards to protect electronic PHI (ePHI) created, received, used or maintained by covered entities and their business associates. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. back to note 1 2. See 45 CFR 164.308(a)(1)(ii)(A): Risk Analysis. back to note 2 3. See OCR Cybersecurity newsletter on maintaining an asset inventory: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html back to note 3 4. See 45 CFR 164.308(a)(1)(ii)(B): Risk Management. back to note 4 5. See 45 CFR 164.312(b): Audit Controls; 45 CFR 164.308(a)(1)(ii)(D): Information System Activity Review. back to note 5 6. See 45 CFR 164.308(a)(4)(i): Information Access Management. back to note 6 7. See 45 CFR 164.312(a)(1): Access Control;45 CFR 164.312(d): Person or Entity Authentication. back to note 7 8. See 45 CFR 164.308(a)(7)(ii)(A): Data Backup Plan. back to note 8 9. See 45 CFR 164.308(a)(7)(i): Contingency Plan. back to note 9 10. See 45 CFR 164.306(e): Maintenance. back to note 10 Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics.