(May 2025) – What is a legacy system? A legacy system refers to an information system that is considered outdated or obsolete. Commonly used legacy systems include electronic health records, billing systems and various administrative tools that were implemented years ago and have not undergone updates or have been replaced with newer information systems.
Cyberattacks in health care continue to cause significant turbulence. The U.S. Department of Health and Human Services Office of Civil Rights reported a 264 percent increase in health care ransomware attacks over the past five years. Hospitals and health care organizations are facing a massive increase in ransomware worldwide, and especially in the United States, with a 73 percent increase in attacks. These attacks on critical systems force the cancellation of surgeries, exams and sometimes even halt the entire health system's operations. The impact of recovering from a breach includes the actual cost of time, equipment and consultants, plus the challenges of reputation repair. To fight off cybercrimes before they happen, a health care organization should examine its weak links, starting with its legacy systems.
Electronic health record systems have an important and expanding responsibility to enable interoperability (record sharing) between providers, payers, patients and other users. However, many EHRs, developed years ago, are not able to deliver on current and future needs and will be upgraded or replaced.
Upgrading or replacing an EHR is only part of the solution. Currently, 73 percent of health care providers still use legacy information systems, and the average organization has nearly 1,000 unique applications in use. Beyond the technical limitations, legacy systems are a leading bad practice for health care security, according to the Cybersecurity and Infrastructure Security Agency. Health care is a leading target for cyberattacks, and legacy technology is reported as the third-biggest security challenge facing health care cybersecurity programs.
It is imperative to review the entire IT landscape for security risks and make necessary changes. Six significant security risks lurking in legacy systems.
- Easy Back-Door Entry – Unsupported or end-of-life systems with silos of data stored in outdated systems are the easiest entry points for hackers. Network servers are the target for more than 50 percent of all hacking-related breaches. Poor security protocols and weak infrastructure make it easy for a hacker to gain access to a legacy system and then move freely throughout the network. There can be upwards of 30-40 legacy systems running in maintenance mode at a health system that is the equivalent of having unlocked doors and windows ripe for an attack.
- Lack of Vendor Support – With outdated systems, there often is a lack of regular security updates, which leaves them open to cyberattacks. A lack of support from the manufacturer means a lack of available security patches.
- Technical Risk – Legacy software kept running in read-only mode is ripe for corruption, breakdown, cyberattack or even internal threats. There may also be a lack of internal system experts who are familiar with how to operate the legacy system, which can further complicate workflows.
- Non-Compliance with HIPAA – Legacy systems may not be HIPAA compliant, which increases the risk of potential breaches and leaves the organization vulnerable to penalties and sanctions. The HIPAA Security Rule requires covered entities and their business associates to implement safeguards that reasonably and appropriately secure electronic patient health information that these organizations create, receive, maintain or transmit. Legacy systems can make patient and other records vulnerable during a cyber or phishing attack.
- Absence of Monitoring Capabilities – Many legacy systems are not equipped to monitor and audit user activity, data access and use. Most older systems were designed for easy data access, as security was not as big a factor when the systems were implemented.
- Internal Threats – Legacy systems often have limited security protocols, which create an opportunity for employee mistakes or insider threats. These two categories are responsible for most health care system breaches. The average health care organization has 31,000 sensitive files (which is about 20 percent of all files and include HIPAA-protected information, financial data and proprietary research) that are open to everyone in the organization.
How to Improve Cybersecurity Preparedness for a Health Care Organization
The first step is to follow the HIPAA Security Toolkit. This will help the organization take stock and manage its ongoing risk. The next critical step is to become HITRUST CSF certified. This globally recognized standard provides a comprehensive, flexible and efficient approach to regulatory standards compliance and risk.
With these two frameworks in place, it is recommended to centralize legacy data into an active archive like HealthData Archiver®. This helps ensure the organization meets regulatory requirements that can include record retention of six to 30 years or more while also allowing legacy systems to be decommissioned. A streamlined portfolio offers a host of security, cost and other benefits.
The Harmony Healthcare IT team of data extraction and migration experts have helped hundreds of health care delivery organizations decommission legacy systems and safely consolidate patient, employee and business records from more than 550 different clinical, financial and administrative software brands.
For more information about securing legacy health care data and deflecting cyberattacks, check out this white paper: Security Focus Creating a Legacy Data Management Plan and the 10 privacy and security questions to ask an archiving partner. With 87 percent of health care's security issues in the last 12 months involving a third-party breach, it is critical to scrutinize every supporting organization and utilize best practices for third-party risk management.
Beyond the obvious reasons to take cybersecurity seriously, the Department of Health and Human Services released 10 essential and 10 enhanced cybersecurity performance goals designed to better protect the health care sector from cyberattacks. The guidance is expected to include financial penalties in the form of reduced payments to certain hospitals that fail to meet cybersecurity standards beginning in fiscal year 2029.
If you are ready to move forward with a legacy data management strategy, we are ready to help.
Let's connect. Patrick Regan at pregan@harmonyIT.com or (406) 853-3087.