Individuals and organizations in the healthcare industry rely heavily on technology for daily and critical operations. Most often than not, the technology used is old and outdated and lacks the built-in security technology that is standard today.
The HIPPA (The Health Insurance Portability and Accountability Act) Security Rules requires every covered entity to have appropriate security measures in place to ensure sensitive healthcare data is safeguarded against loss, theft, or cyber-attack. Covered entities include both individuals and organizations, such as health insurance companies, healthcare clearinghouses, and healthcare providers who submit HIPAA transactions.
HIPAA compliance and cybersecurity
A healthcare organization is not required by the HIPAA Security Rules to have the most advanced and sophisticated technology. Instead, to comply with HIPAA rules and regulations a healthcare provider must install strong security measures to keep Protected Health Information (PHI) from unauthorized access, use, disclosure, or destruction.
PHI is any information that can be used on its own or with other information to identify an individual and relates directly or indirectly to their health care. This includes demographic data, medical history, billing information, claims data, and any other type of data that is used by a healthcare provider for treatment purposes.
The consequences of HIPAA violations are severe, with multi-million dollar fines applied when violations have persisted for long periods or if the covered entity has shown repeated noncompliance with the HIPAA Rules. PHI data is incredibly valuable in the wrong hands and healthcare data breach statistics show hacking is the leading cause of data breaches in the healthcare sector. Costs associated with a data breach in the US healthcare sector average $9.23 million per incident, before any regulatory fines or possible civil or criminal penalties are applied. Data breaches also damage the image of the organization, marring its reputation and brand value.
Cybercriminals will attack the most vulnerable systems, usually operating with legacy systems, looking to steal credentials to access data. Phishing is a method of attempting to gain usernames, passwords, or medical data, for malicious reasons, using email to send an infected link or attachment to click on. Compromised passwords are responsible for the majority of data breaches. Reusing the same password across multiple sites, password sharing (HIPAA violation), and weak passwords are easily exploited by malicious actors.
Legacy technology and security
Legacy technology systems are often described as obsolete, old, or outdated, usually consisting of hardware or software that has been succeeded by newer technology. In some cases, legacy systems may still be in use and can be used for specific purposes; however, they are no longer considered to be of the highest quality because their functionality is not up-to-date with the latest technologies.
The continued use of legacy technology systems within healthcare organizations is fraught, yet there are many reasons why it happens, such as lack of funds or ability to implement new systems, familiarity with the older system, other systems rely on the legacy technology or lack of knowledge around more current technologies.
Legacy systems are vulnerable to cyber-attacks because they were not built with cybersecurity in mind. This is especially true for older, mainframe systems that may still be in use by some healthcare organizations. These types of systems were originally developed to handle large amounts of data and perform complex calculations, but they were not designed with security as a priority.
As a result, they are more susceptible to attack than newer technologies that were built to meet today’s security best practices, such as multi-factor authentication, role-based identity access management, and sufficient encryption methods. New security measures are also difficult to implement with legacy technology systems.
How to make legacy systems in healthcare compliant?
The first step is to undertake a HIPAA risk assessment and get an overview of the IT assets being used in your healthcare organization. This process will identify any potential risks associated with those IT assets. Once your risks and vulnerabilities have been determined, you will have a much better idea of what legacy technology to fix, upgrade, or replace.
Engaging the support of IT experts who specialize in HIPAA compliance will help you navigate this process and ensure you meet strict government regulations and leverage technology for your healthcare organization. You have several options when moving forward with your legacy technology:
- 1. Consider segregating your legacy systems or moving them off the network, which reduces the risk they will become a threat vector. PHI is still accessible to internal employees but inaccessible to malicious actors. There is still a risk of inappropriate access to patient health data from inside the organization.
- 2. Strengthen cybersecurity as best as possible with the existing legacy technology, with stronger access controls, antivirus software, and monitoring policies.
- 3. Replace the legacy technology system with more current technology, such as a cloud-based solution, which has improved data security, such as digital encryption to protect data, access controls, identity access management systems, and more.
Ensuring your organization is HIPAA compliant
Patients entrust their personal information to healthcare organizations and it is vital, and a legal requirement, to ensure this trust is not broken. Beyond protecting patients’ data, compliance with HIPAA is important to prevent your organization from serious, costly consequences. Changes and updates to HIPAA can also mean your business needs to address legacy technology vulnerabilities as a matter of urgency. Talk to Solzorro’s HIPAA specialists who can guide you through compliance requirements while leveraging your technology investments.
