HHS OCR Bulletin: Address Security for Legacy Systems
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published a bulletin that urges healthcare organizations to manage the security risk of legacy systems. The Health Insurance Portability and Accountability Act (HIPAA) requires “requires covered entities and their business associates to implement safeguards that reasonably and appropriately secure the electronic protected health information (ePHI) that these organizations create, receive, maintain, or transmit.”
OCR defines a “legacy” system as “an information system with one or more components that have been supplanted by newer technology and for which the manufacturer is no longer offering support.” I think they should just call them “unsupportable” systems to make the issue gain more traction. The OCR advice is solid for trying to reduce the risk of unsupportable systems, but many exist because much longer (often infinite) lifecycles were estimated for devices, software, and systems than is realistic when technology advances are shortening. Budgets and planning should be assuming shorter lifecycles – think cell phone replacement lifecycles, not refrigerator lifecycles.
This bulletin also requires added mitigations and assessments of legacy systems. The concern is that your legacy system would not be able to protect ePHI at the same level as newer systems as they are not engineered to the current threat landscape. The bulletin includes a good list of mitigations for legacy systems to include upgrading to a newer/supported version where possible, segmentation/isolation, increased authentication strength, removing unneeded software and increased firewall rules with supporting monitoring. Even with those in place, expect pressure to replace legacy systems with newer versions to include cloud-based alternatives.
“Reasonable and appropriate” is bureaucratic language intended to avoid accountability. Fortunately, healthcare covered entities now have more prescriptive language to guide them in securing their systems. For a targeted sector where breaches risk injury and death, the bar is very high. Recent events suggest that isolating clinical applications from those facing the public networks (e.g., e-mail and browsing) is urgent.
William Hugh Murray
Read more in
Gov Infosecurity: Reduce Security Risk of Healthcare Legacy Systems, Devices