Why legacy applications are a healthcare cyber security nightmare

In recent years, cyber-attacks on healthcare organisations across the world, such as from the WannaCry ransomware attack, highlighted how vulnerabilities in technology can quickly impact patient safety. The Internet of Things (IoT) and cloud computing are examples of technological advances that are driving the digital transformation agenda in healthcare. Though there is no question such initiatives are empowering greater patient engagement, they also increase the threat surface area for potential cyber-attacks. Legacy applications, in particular, are an often-overlooked weak point, providing a ‘back door’ for cyber criminals to exploit network connectivity and ‘networks of networks’, threatening individual organisations or even entire health systems.

The natural fall-out from the acceleration towards digitisation is the rising number of legacy applications that still reside in healthcare settings. Largely these applications preserve historical patient data that is not migrated to newer, more secure solutions. Typically, they continue to stay in production for a number of reasons: often, new vendors do not want to assume responsibility for the quality of older data from other systems; or the migration path for older patient information from the old to the new system is difficult or cost prohibitive. Regardless, in order for NHS Trusts and private hospitals to minimise their exposure to the increasing focus of cyber-criminals, the need to manage the entire suite of clinical applications is more critical than ever.

Healthcare organisations continuing to run legacy applications are simply inviting risk. The more these vulnerable systems remain in use, the wider the threat surface area becomes. With the continued emphasis on interoperability across multiple, diverse care settings, the consequences of a cyber-attack on vulnerable systems are cause for real concern: infection can swiftly permeate throughout a hospital and beyond, impacting mission critical clinical applications, with potentially catastrophic implications.

Mitigating the risk of legacy applications

It’s important that healthcare organisations possess robust safeguarding capabilities that enable them to securely manage patient information. Applications, such as clinical repositories, provide increased resilience to cyber-attacks due to their ability to isolate and protect patient data away from compromised applications. By extracting, transforming and ingesting data from legacy systems into a clinical repository, and making that data available as part of a 360-degree patient record, digital working is maintained across care settings, at all hours. In offering ongoing and secure access to crucial clinical information, staff can continue to make accurate evaluations and well-informed decisions unencumbered by delays and errors that often impact patients following cyber-attacks.

Maintaining operational effectiveness

As demand on services continues to increase, hospitals are enduring unrelenting pressure to increase efficiency and ‘do more with less’. But, whether it’s driving efficiency, reducing expenditure, or avoiding regulatory breaches; any strategic goals must be underpinned by a robust cyber security strategy. Deploying a centralised, independent clinical repository allows CIOs and CCIOs to decommission legacy applications whilst ensuring the data remains part of the patient record and all while reducing the threat surface of potential loopholes in security. This negates any potential operational costs associated with devastating cyber-attacks, such as switching to inefficient and costly business contingency plans and diverting patients to neighbouring organisations.

Maintaining smooth and uninterrupted information workflows is also critical. Investments in solutions that safeguard access to clinical information, whilst addressing cyber security concerns, should be a priority.

Retiring applications

With healthcare organisations employing newer, more advanced, state of the art systems, by default, they are also creating an increased volume of legacy applications. And these, in turn, create increased exposure to cyber-attacks. While hospitals often face challenges in planning how to extract the data from legacy systems; where to migrate the relevant patient information to so that it remains a part of the longitudinal patient record; and how to budget for it with access to limited resources – independent clinical repositories remove many of these barriers.

Once the newer applications are installed, the internal expertise to maintain the old systems is often no longer available. The result is that old applications are left unchanged. This is largely because there is a perception that changing or updating systems will risk breaking the application. Sadly, this ignores the much bigger risk that failing to change or update systems leaves critical vulnerabilities and known weaknesses running within the organisation.

Having assessed the level of vulnerability that outdated applications present via a graded risk approach, and balancing this with stakeholder demand for the associated patient information (together with its operational value), it is clear that the relevant patient information should be migrated, consolidated and protected in a standards-based clinical repository. This provides peace of mind that patient information is secure, available and accessible to the entire organisation; and that it can be held there and presented to whichever application requires it, or accessed directly. The old applications, with their vulnerabilities, can then safely be retired.

Digital transformation initiatives in healthcare continue globally. But the fall-out of these advances is that more and more legacy applications are being created as new systems are deployed and these present substantial risks to core ambitions, such as achieving interoperability, value-based care and integrated care between healthcare providers. All applications will eventually become outdated and, if not maintained, will likely contain vulnerabilities – especially as new vulnerabilities within core operating systems on run-time libraries are being discovered all the time). Consequently, it’s essential to have a robust application retirement strategy in place as any system a hospital procures will ultimately become a source of future vulnerability. This, in turn, could result in the spread of threats to multiple systems and settings at scale, with serious consequences to reputation, patient security and care.

Written by Gareth Griffiths, Chief Technology Officer, at BridgeHead Software


Join our audience of healthcare industry professionals

Join our audience of healthcare industry professionals