May 25, 2021
The healthcare industry fell victim to 642 large data breaches in 2020, which affected over 29 million patient records. This was an increase of 25% from the previous year, and the largest number of data breaches reported in a given year. Additionally, more penalties for HIPAA covered entities and business associates occurred in 2020 than in any other year since HIPAA compliance started being enforced, with $13,554,900 paid in penalties.
The main cause of data breaches in 2020 was due to hacking and other IT incidents, accounting for 66.82% of all reported breaches and 91.99% of all breached records.
Healthcare facilities face many internal and external security threats—hidden HTTPS tunnels, external remote access tools, internet “dark web scans”, and DNS tunnels—and maintaining countless legacy systems compound these risks.
These are the top three questions we receive regarding legacy system security, data archiving, and migration to help you assess your facility’s risk:
The simple answer is that legacy systems run on platforms that were designed many years ago, which often cannot be updated. In the interim, security standards have evolved as hacking techniques have advanced, leaving these systems highly vulnerable. To help protect these systems, many IT teams develop band-aid solutions to secure systems that were not designed for the modern IT world.
Additionally, old systems are difficult to maintain because it is difficult to find IT professionals with the skill set required to support the tools and patches—and updates from the system vendor may run dry or be extremely costly. Outdated operating systems and obsolete programming languages make it nearly impossible to put the necessary modern security and privacy controls in place. The combination of lack of system expertise, lack of updates, and a myriad of patched solutions to bridge the gap create a very high-risk system environment.
Legacy systems stick around for a reason—they contain medical and business records your facility needs. Fortunately, there is an alternative to the costly and risky maintenance option: consolidation. As a first step, take an inventory of all the systems your facility runs. Through the process of mergers and acquisitions, it’s not uncommon to be running dozens of unnecessary legacy systems at any given hospital or health system. It’s not hard to imagine how some systems are forgotten. In many cases, these systems are candidates for data migration or archive. To decide which ones might be candidates, consider the following for each system:
If the system is not needed or can be replaced (or has been) by a more modern system and is subject to electronic discovery requirements, it is a strong candidate for data migration and/or archival.
Decommissioning legacy systems with data archiving or migrating allows crucial legacy data to be accessed easily while simplifying the security process by consolidating the records from multiple legacy systems into a unified archive. Both archiving and migrating solutions help mitigate security and privacy threats simply by reducing the surface area of your facility’s attack risk.
The best way to decide between a migration (moving the data to another enterprise system) and an archive (moving the data to a searchable, secure, PDF archive for reference use) is to determine the recency of the data and how often it needs to be accessed. Opt for an archive if you do not need to access the archive often since it is typically a more straightforward process than a full migration. However, if you have a system with recent patient records for which active functionality is needed (such as billing/rebilling, or data mining), it is likely that those needs will require those records to be migrated to a new system.
An experienced data archive and migration vendor can help your facility preserve the integrity of the legacy data and retain important details such as version history and audit trails to keep your data secure and in compliance.
Takeaway: Operating numerous legacy systems is not only a drain on enterprise resources, but it is also fraught with security vulnerabilities. By taking stock of your systems and evaluating which systems are strong candidates for archives or migrations to new systems, you take one strong step toward protecting the integrity of your patient data and reducing costs and risks.