HIPAA Security

The HIPAA Security Rule is vast and detailed; for covered entities required to comply with its complexities, risk analysis is a constant.

Cybersecurity Tips: Upgrading Legacy Systems

Are you a covered entity using a “legacy system?” A legacy system is one that is no longer being supported by its manufacturer.  A classic example is Windows 7, which Microsoft stopped supporting in January 2020.  The HIPAA Security Rule does not require a plan to stop using a legacy system, but does require it to manage the added risk of continued use.  Strategies for mitigating risk include:

• Upgrading to a supported version or system.
• Contracting with the vendor or a third party for extended system support or migrating the system to a supported cloud-based solution.
• Removing or segregating the legacy system from the internet or from the organization’s network.
• Maintaining the legacy system but strengthening existing controls or implementing compensating controls.

Actions for Plans:

1. Enhance system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI.
2. Restrict access to the legacy system to a reduced number of users.
3. Strengthen authentication requirements and access controls.
4. Restrict the legacy system from performing functions or operations that are not strictly necessary (e.g., by removing or disabling unnecessary software and services).
5. Ensure that the legacy system is backed-up – especially if strengthened or compensating controls impact prior backup solutions.
6. Develop contingency plans that contemplate a higher likelihood of failure, especially if the legacy system is providing a critical service.
7. Implement aggressive firewall rules.
8. Implement supported anti-malware solutions.