VA Center’s IT Legacy Flaws Common at Other Health Entities
OIG Security Audit of Texas VA Facility Found Familiar Problems
… There are other reasons why many healthcare entities continue to keep legacy IT systems and equipment running long after they are no longer supported by vendors, says senior privacy and security consultant Susan Lucci of tw-Security.
Risks associated with obsolescence are “not generally top of mind, particularly when there is a routine that ‘appears’ to be working fine,” she says.
Not all outdated IT poses the same risk. “From a safety perspective, attention should be given to healthcare devices for patients,” Lucci says. “These have been identified as posing serious risk to the patients they were designed to help and when old, unpatched, unsupported legacy systems are running these devices, this poses the most serious risk to human life.”
Legacy IT need not necessarily be a constant bane, especially if informed risk analysis can make a business case for its replacement.
That includes bringing in a third party to do an objective evaluation of the entire IT department combined with penetration testing. “Most audits of this type will identify a number of areas that need attention,” she says. “Once you have the evaluation, put the action items into a project plan and systematically work the plan resolving the issues on a priority basis.”