Are Legacy EHR Sytems the HIPAA Ticking Time Bomb?

Healthcare IT and EHR security is a really important topic right now. Many organizations have started to spend time and resources on this problem after a series of healthcare and non-healthcare breaches. The Anthem breach being the most recent. Overall, this is a great thing for the industry since I think there’s more that could be done in every organization to shore up the privacy and security of patient health data.

In a recent conversation I had with Mike Semel, we talked about some of the challenges associated with legacy EHR and Healthcare IT systems in offices. Our conversation prompted to me to ask the question of whether these legacy EHR systems are the ticking time bombs of many healthcare organizations.

Think about what happens to many of these legacy EHR systems. They get put in some back office or under someone’s desk or in some nondescript closet where they’re largely forgotten. In many cases there are only 1-2 people who regularly use them and in many cases the word “regularly” equates to accessing it a few times a month. These few people are usually not technically savvy and know very little about IT security and privacy.

Do I need to ask the question about how good the security is on a system for which most people have forgotten?

These forgotten systems often don’t get any software updates to the application or the operating system. The former is an issue, but the later is a major problem. Remember that when updates to an operating system are issued, it’s essentially blasted out to the public that there are issues that a hacker can exploit. If you’re not updating the O/S, then these systems make for easy pickings for hackers.

Forget about great audit log tracking and other more advanced security on these legacy systems. In most cases, organizations are just trying to limp them along until they can decommission them and put them out to pasture. It makes for one massive security hole for most organizations.

Of course, this doesn’t even take into the account the fear that many organizations have that these systems will just give up the ghost and stop working all together. There’s nothing quite like security on a Windows 2000 Server box sitting under someone’s desk just waiting for it to die. Hopefully those hard drives and other mechanical elements don’t stop before the data’s end of life requirements.

These legacy systems aren’t pretty and likely present a massive HIPAA privacy and security hole in many organizations. If you don’t have a good handle on your legacy systems, now might be a good time to take a look. Better to do it now than to deal with it after a HIPAA breach or HIPAA audit.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

2 Comments

  • You nailed it, John. While no organization is immune from hackers, I’d certainly place my bets on a modern, cloud-based company over a legacy, client-server system. Lots of reasons but here’s a few…
    * Cloud software that is multi-tenant means a security update gets to all endpoints immediately. Even if the legacy, client-server software gets updated (big if), it take a long time for the updates to get out. Have seen/heard many horror stories.
    * Cloud company risks their entire business going down in flames if they have a serious security breach. Legacy, client-server system breaches tend to get blamed on the customer, out-dated software, etc. By comparison, it’s a flesh wound to what a cloud-based company would face.
    * Cloud company has much greater ability to hire the highest caliber security talent. Simply impossible for healthcare providers — even the best. The best talent wants the broadest reach. Even a large provider isn’t very big in terms of their reach by comparison.

Click here to post a comment
   

Categories