By Afshin Attari, Senior Director of Public Sector at Exponential-e
The level of legacy debt varies widely across the NHS. A recent report from the Department of Science Technology and Innovation (DSIT) has revealed that legacy technology can range from as little as 10% to as much as 60-70%. This reliance on outdated systems presents a significant cybersecurity challenge, heightened by the fact that 15% of surveyed organisations could not estimate the size of their legacy estate. The report also highlights that these systems are high-risk, prone to security vulnerabilities, lack support, and are subject to operational failures.
The issue? Many NHS organisations struggle with a clear view of their legacy applications and systems. Without this visibility they are challenged to understand and manage the systems which are often critical to their daily operations. In the absence of proper documentation and oversight, it’s impossible to effectively secure these systems and they remain exposed to cyber threats.
To truly address security issues in legacy systems the correct foundation should be laid, and the right expertise needs to be on hand to support.
Why mapping is essential
Legacy applications serve essential roles, but their age and complexity make them vulnerable to security risks. Legacy assets and applications are also often large scale and mission critical. They are difficult to modernise due to long term data retention and they are difficult to migrate notably to Public Cloud environments. To do so, requires incumbent knowledge of that legacy platform and it relies on working out how you get the data exfiltrated from that environment and transferred to a new platform.
Many organisations face challenges when dealing with legacy systems, particularly in highly regulated industries like healthcare. The sector depends heavily on legacy infrastructure that has been built up over decades, making upgrades and migrations even more complex. Often, these systems are deeply integrated with other critical applications, meaning that any disruption or attempted migration must be carefully planned to avoid service interruptions or data loss. Additionally, compliance requirements further complicate modernisation efforts, as organisations must ensure that any changes align with industry regulations and security frameworks.
Knowledge and documentation are the first step to securing legacy systems. If you don’t know what you have, you can’t secure it. A foundational mapping exercise is crucial for establishing a baseline of assets and ensuring the identification of what needs to be secured.
Having sight of all legacy systems within the organisation allows health authorities to do their governance and supply chain risk analysis. From here they can make sure that they have supply chain security and that assets are properly patched and meeting Cyber Essentials and Cyber Essentials Plus certification.
This is the best practice for securing legacy applications, offering insights into strategies for modernising infrastructure while maintaining compliance with necessary security standards. Once authorities have mapped their systems, they can prioritise which legacy assets to update and which to continue managing, securely. Developing a roadmap for modernisation can help organisations transition from outdated technology to more secure and efficient solutions, reducing long-term risks while maintaining operational integrity. By taking a strategic approach, organisations can ensure that legacy applications remain functional, secure, and compliant with evolving regulatory requirements.
Mitigating risk and securing legacy systems
The next step is to put security measures in place that protect these systems from cyber threats. Replacing legacy infrastructure isn’t always possible, so organisations must find ways to strengthen their existing environment by implementing robust cybersecurity frameworks, ensuring compliance with industry standards, and training staff to recognise potential risks.
Security Information and Event Management (SIEM) services can help safeguard legacy systems by continuously monitoring traffic flows and flagging abnormalities that may indicate a cyber threat by continuously monitoring traffic flows and flagging abnormalities that may indicate a cyber threat. This enables healthcare organisations to detect suspicious activity in real-time, create security rules to combat any deviations and reduce the risk of breaches. SIEM solutions also offer log analysis, threat intelligence integration, and automated responses to minimise the impact of an attack, ensuring that legacy applications remain protected even as cyber threats evolve.
However, the effectiveness of SIEM relies on working with partners that not only offer monitoring tools but also understand the complexities of legacy systems, ensuring that security solutions are tailored to the unique challenges posed by outdated infrastructure.
It’s essential for healthcare organisations to partner with technology companies, who can integrate these solutions into existing environments while ensuring compliance with the latest security standards. This level of expert assistance can also help healthcare organisations to assess and develop security processes, strengthen postures, and educate staff. With the right support, the NHS can safeguard critical systems without compromising operational efficiency or patient care.
Compromise in security will undoubtedly lead to breaches. As we see a rise in sophisticated threats to healthcare organisations in a heightened geopolitical environment, knowledge is the first step to action. Every NHS organisation must now work to proactively assess and secure legacy applications to protect sensitive data and systems from breaches moving forward.
