Asset Inventory Recommended As First Step

Th OCR recommends an accurate and up-to-date asset inventory as a useful first step because it can help organizations understand where critical processes, data, and legacy systems reside within their organization. After assessing the potential risks and vulnerabilities to their ePHI, covered entities and business associates should immediately take the necessary steps to reduce those risks and vulnerabilities. The OCR recommends mitigating a legacy system’s security risk by upgrading to a supported version or contracting with a vendor or a third party for extended system support through a cloud-based solution. It also recommends removing or segregating the legacy system from the internet or from the organization’s network.

“Private information is going to be released willy-nilly because these systems are so hackable,” Greenberger said. “In the natural course of events, people are not going to go out on a limb and make changes, but we are months away from this becoming a necessity because the liabilities will become obvious. Insurance companies are going to tell them they won’t have insurance.”

OCR suggests enhancing system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI. Businesses are being told that they should restrict access to the legacy system to a reduced number of users and to restrict the legacy system from performing functions or operations that are not strictly necessary. 

Edmon Begoli, the AI Systems R&D Section Head at Oak Ridge National Laboratory in Oak Ridge, Tennessee, said aging software, written in the languages and using libraries that are not in use as much anymore, present a maintenance burden. Further, they present a security risk because older systems are likely to be more easily exploitable in terms of cyberattacks. “Although the cyber threat landscape is scary, following some basic best security practices can have a dramatic positive effect for the organizations,” Begoli said.

Best security practices include the use of anti-virus software, a strong password policy, and conducting backups. Other practices to improve security include regularly upgrading software, and using encryption for the protected data. “We need to ensure that our systems, including data, are properly protected, monitored and patched against vulnerabilities,” Begoli said. “This is even more important with the legacy systems because these were likely not built with the same privacy protections or cybersecurity controls as they would have been today.”

This article originally appeared on Renal and Urology News