The healthcare industry fell victim to 503 data breaches in 2018, which affected over 16 million patient records. 2018 also had the highest HIPAA penalty amounts on record, totaling $28,683,400.
Healthcare facilities face many internal and external security threats—hidden HTTPS tunnels, external remote access tools, internet “dark web scans”, and DNS tunnels-and maintaining countless legacy systems compound these risks. These are some common questions we receive regarding legacy system security, data archiving, and migration to help you assess your facility’s risk:
Why do legacy systems pose a security risk?
The simple answer is that legacy systems run on platforms that were designed many years ago which often cannot be updated. In the interim, security standards have evolved as hacking techniques have advanced, leaving these systems highly vulnerable. To help protect these systems, many IT teams develop band-aid solutions to secure systems that were not designed for the modern IT world.
Additionally, old systems are difficult to maintain because it is difficult to find IT professionals with the skill set required to support the tools and patches, and updates from the system vendor may run dry or be extremely costly. Outdated operating systems and obsolete programming languages make it nearly impossible to put the necessary modern security and privacy controls in place. The combination of lack of system expertise, lack of updates, and a myriad of patched solutions to bridge the gap create a very high-risk system environment.
How can we consolidate legacy systems?
However, legacy systems stick around for a reason: they contain medical and business records your facility needs. Fortunately, there is an alternative to the costly and risky maintenance option: consolidation. As a first step, take an inventory of all the systems your facility runs. Through the process of mergers and acquisitions, it’s not uncommon to be running dozens of unnecessary legacy systems at any given hospital or health system; it’s not hard to imagine how some systems get forgotten. In many cases, these systems are candidates for data migration or archive. To decide which ones might be candidates, consider the following for each system:
- Is it needed for ongoing reference and functionality, or can it be eliminated?
- Can its functionality be covered by another more modern system you already have?
- Is this system subject to electronic discovery requirements/medical record retention laws?
If the system is not needed or can be replaced (or has been) by a more modern system and IS subject to electronic discovery requirements, it is a strong candidate for data migration and/or archival.
Should we archive or migrate?
Decommissioning legacy systems with data archiving or migrating allows crucial legacy data to be accessed easily while simplifying the security process by consolidating the records from multiple legacy systems into a unified archive. Both archiving and migrating solutions help mitigate security and privacy threats simply by reducing the surface area of your facility’s attack risk.
The best way to decide between a migration (moving the data to another enterprise system) and an archive (moving the data to a searchable, secure, PDF archive for reference use) is to determine the recency of the data and how often it needs to be accessed. Opt for an archive if you do not need to access the archive often since it is typically a more straightforward process than a full migration. However, if you have a system with recent patient records for which active functionality is needed (such as billing/rebilling, or data mining), it is likely that those needs will require those records to be migrated to a new system.
An experienced data archive and migration vendor can help your facility preserve the integrity of the legacy data and retain important details such as version history and audit trails to keep your data secure and in compliance.
Operating numerous legacy systems is not only a drain on enterprise resources, but it is also fraught with security vulnerabilities. By taking stock of your systems and evaluating which systems are strong candidates for archives or migrations to new systems, you take one strong step toward protecting the integrity of your patient data and reducing costs and risks.