The Department of Health and Human Services’ Office for Civil Rights (OCR) is advising clinicians to take a closer look at their legacy IT systems and devices. On October 29, 2021, OCR warned that these systems may be vulnerable for a cyberattack.

Legacy systems have at least 1 component that has been supplanted by newer technology and for which the manufacturer no longer offers support. Despite their widespread use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked, according to the OCR.

“This warning is long overdue,” said Michael Greenberger, a professor of law and director of the Center for Health and Homeland Security at the University of Maryland Carey School of Law, Baltimore. The HIPAA security rules require covered entities and their business associates to implement safeguards that are reasonable and appropriate for securing electronic protected health information (ePHI). These rules apply to the creation of the information, receiving it, maintaining it, or transmitting it.

The technological footprint of a health care organization grows daily, and OCR wants providers to take the time to identify and assess their vulnerabilities. The biggest security risk is that legacy systems have no vendor support, putting them at heightened risk for cyberattacks. 

‘Problem Begging to Become a Crisis’

Today, many organizations cannot replace their legacy systems without disrupting critical services or compromising data integrity. For health care providers, this can apply to medical devices, electronic health records, and other systems offering critical services. A medical practice may be reluctant to alter technology that appears to be working, or to deploy a new and unfamiliar system that may reduce efficiency or lead to increased user errors. The issue of liability, however, may supersede those factors.

The OCR notes that many health care providers may be reluctant to replace a system that is well-tailored to their business models. Another issue is that a medical practice’s legacy systems may not be compatible with newer systems. “It is a conundrum and it is not going to turn out well for those using legacy systems,” Greenberger said. “Someone is going to be held liable for information that is stolen. This is just a problem begging to become a crisis.”

Due to the COVID-19 pandemic, many medical practices do not have the time, staff, or money for the required IT investment. “There is going to be liability. It is like someone with an old car who doesn’t want to get a new car, even though they are safer. Then, they get in an accident and almost lose their life and lose the car. Up until then, you are saying the car is fine. Then a crisis happens,” Greenberger said.

While many factors may contribute to an organization’s decision to continue to use a legacy system, it is important that the organization include security in its considerations, especially when the legacy system could be used to access, store, create, maintain, receive, or transmit ePHI. The HIPAA security rules require covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment. This includes ePHI used by legacy systems.

This article originally appeared on Renal and Urology News