Going to ask again about HealWell - they are on an acquisition tear and seem to be very AI-focused. Has…
Readers Write: It’s Time to Rethink Healthcare’s Reliance on Legacy Tech Amid Cyberattacks
It’s Time to Rethink Healthcare’s Reliance on Legacy Tech Amid Cyberattacks
By Tom Furr
Tom Furr is founder and CEO of PatientPay of Durham, NC.
One of the biggest questions surrounding a large-scale cyberattack in healthcare this spring is one that healthcare is hesitant to confront. Why did it take more than a month to get these systems up and running again?
We would never hear of a financial institution being unable to restore operations for such a long period of time, despite the fact that financial data, just like healthcare data, is an attractive target for cyberattack, with losses totaling more than $12 billion over the past 20 years.
But as financial institutions take a hard look at ways to de-risk technologies to bolster their defense against cyberattack — including by investing in cloud and edge computing and implementing zero-trust architecture to protect legacy tools from threats, partnering with technology hosting companies for their security solutions such as AWS’s Cloud Security, Oracle Cloud Security and Azure Cloud Security —healthcare has been slower to make the move to the cloud.
One study found that while 86% of healthcare organizations have experienced data theft of some type, just 47% of sensitive data in healthcare is stored in the public cloud, compared with 61% across industries, according to research by Skyhigh Security. While 56% of healthcare organizations surveyed by Forrester increased cloud spending between 2022 and 2023, most are focusing on moving electronic medical record (EMR) systems to the cloud. While it makes sense to start with the EMR, leaders shouldn’t overlook the need to move other on-premises systems and applications to the cloud, too, including legacy systems.
A few years ago, a HIMSS survey quantified healthcare’s reliance on legacy systems. It found that 73% of organizations still operate legacy systems even though leaders say that these systems also present the third-biggest security risk to organizations. Insiders refer to these systems as “basement tech.” They have been around so long that few members of the IT team know how to operate them, yet they’re expensive to retire, so they keep chugging along, often in the basement of a facility. I guess now that costs from the most recent breach are starting to become public, it appears retiring old systems might not be that expensive after all.
If a system were hosted in the cloud, it would have access to all the latest security protections as they are released. Even better, there would be multiple layers of security surrounding a system in the cloud. If one layer were penetrated during a cyberattack, there would still be security wrapped around the root code for the system. Even if cyberthieves were to penetrate the root area of the system, the nature of the cloud means access to the system is still possible. The vulnerable system could be shut down, with the same functions spun up in another area of the cloud within minutes, limiting downtime.
We never hear someone say, “I couldn’t access my bank account for a month because of that cyberattack.” So why do we accept that this can happen in healthcare?
The truth is, we shouldn’t. Not when providers’ livelihoods are at stake, with many physicians digging into their personal savings to keep their practices afloat. And let’s not forget the patient impact, with the most recent large-scale cyberattack forcing consumers to pay cash for expensive drugs or endure long waits for needed prescriptions, among other impacts.
The impact of the latest healthcare cyberattack will likely be felt for months, going beyond claim processing and payment to impact functions such as real-time eligibility checks and more. As the industry assesses the damage, providers must also double down on prevention.
Now is the time to take a hard look at what’s holding your organization back from cloud investment, the level of expertise needed to chart a path forward, and the types of investments that will best protect your organization from a breach in an era of increased cyber risk. Your organization’s reputation and its ability to maintain continuity in care depend on these actions.
This is all true. I would emphasize that hospitals aren’t running legacy technology because they want to. They’re doing it because they don’t have funds to upgrade. If it comes down to a choice to keep nurses, fix/replace a broken piece of critical care equipment or upgrade an operating legacy server/software, the last almost always loses. The leaders know there is risk, but there are just not enough funds to go around, so they limp along. The stakes are high and becoming more common and obvious, but funding is still extremely difficult.
Original legacy client server systems were not connected to the internet. Yes it’s convenient having systems connected, it also creates security risk and associated costs. Maybe its time to weigh the cost and benefits on having every software connected to the internet?
I lived through the time period this happened (which is over now, although there was never a declared end to this process).
As a technical person? It was nearly impossible to turn a determined manager away from their stated goal of connecting those systems. You could voice your concerns, but then you had to let it go.
Frankly, for a system using older technology? It was a quick way of making it seem a little more modern. “Who needs Windows, our system is connected to the Internet, we are making things Happen!”
I really don’t see people pulling legacy tech off the web. Most shops do something else instead (VLANs, 2FA, VPN, limiting IP addresses, there are a number of approaches).
“If a system were hosted in the cloud, it would have access to all the latest security protections as they are released. Even better, there would be multiple layers of security surrounding a system in the cloud. If one layer were penetrated during a cyberattack, there would still be security wrapped around the root code for the system.”
This is a whole lot of hand-wavy nonsense. Moving to the cloud does not make your architecture magically more secure. The cloud is just someone else’s computer. Cloud is great until China steals Microsoft’s signing certificate and creates administrative credentials for themselves in every single Azure tenant.
https://www.wired.com/story/china-backed-hackers-steal-microsofts-signing-key-post-mortem/
Decentralizing the American payments system so one organization doesn’t process 50% of all claims would be a much more effective business continuity strategy than everyone just moving to the cloud.
Change Healthcare got burned because they did not have 2 factor ID deployed. The fact that they are running a legacy system has nothing to do w 2FI. 2FI is optional on most Cloud systems, I have several bank accounts where I can turn it on or off. As has been stated many times on this blog and many others – the weakest link is the people, not legacy code or legacy data.