Security Challenge: Your Outdated OS
Legacy operating systems (OS) continue to pose a significant risk to the security of patient information stored by healthcare devices.
On January 10, support and updates ended for Microsoft’s Windows 8.1 version. Microsoft has recommended that organizations upgrade to a “more current, in-service, and supported Windows release.” Or if a group’s devices couldn’t run the more current version, they said that they’d “recommend you replace the device with one that supports Windows 11.”
What is the Risk?
Running old systems is still a common practice in the healthcare industry, and this update in January brought the problem to light again. Older devices may still function well for clinical use, but without regular updates they quickly become easy-access points for criminals to infiltrate systems and compromise PHI.
In September of last year, the FBI “identified an increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features.” In their Cyber Division Notification, they stated that “Medical device hardware often remains active for 10-30 years… allowing cyber threat actors time to discover and exploit vulnerabilities.”
It’s recognized that replacing these expensive devices over and over is impracticable for most organizations. It’s “just not an option,” which is why over 70% of providers are still running legacy OS. This concern has been around for a while, so most likely it doesn’t come as a surprise. However, it’s not an easy issue to solve, and it means that securing current devices must be a priority.
How to Mitigate the Risk
Organizations should focus on implementing zero trust security protections and network segmentation to decrease the likelihood of a breach.
These security practices are within the organization's control, but outside of that some answers to this problem may come in the form of new legislation. In the meantime, providers can steadily reduce their attack surface area, giving users the limited network access they require to perform their job functions. No device or user should be given access to a network or information without authentication. It’s also important to note that if you have devices that have not yet reached end-of-life, you need to be regularly checking for new updates and security patches.
These types of technical protections fall under the technical safeguards portion of the HIPAA Security Rule. At Medcurity, we’ve built an intuitive HIPAA compliance platform that walks you through your required Security Risk Analysis step-by-step, with guidance and definitions throughout. The best way to begin to secure your patient data from outside attacks is by conducting a thorough SRA. Once you know where PHI is being stored and what protections you currently have in place, you can begin taking steps forward using your automatically generated prioritized action plan. The Security Risk Assessment is critical for all organizations that handle, transfer, or store PHI. Medcurity takes the stress out of your HIPAA compliance, so that you can focus on providing the best patient care.
If you have questions about the SRA or about technical protections for keeping PHI secure, reach out to your team at Medcurity.