Don’t Let Your IT and OT Systems Become Antiques.
The problem of out of date legacy hardware, operating systems and applications across the healthcare industry is endemic. This is especially so at small hospitals and clinics where tiny IT and security staffs and highly constrained budgets, prevent the upgrading of end-of-life and often vulnerable technologies. Aggressive sun-setting of Windows versions by Microsoft and near constant patching requirements compound the pressure on small IT staffs to support and secure their health IT infrastructure. This situation introduces risk into the healthcare delivery environment as IT systems continue to operate with unpatched CVEs and unsupported hardware and software.
Poor coordination between HIT vendors and Microsoft causes healthcare applications to break if patched or remain vulnerable if unpatched. Lack of support for current Windows operating systems means that new workstations and servers need to be downgraded in order to run EMR or other HIT applications.
"Windows 10 comes with .NET version 3.5 built in, however our EMR only supports .NET version 3.2, so when we upgraded our desktop OS from Windows 7 to Windows 10, we had to uninstall .NET and reinstall an old out-of-date version" claimed Jason Hawley, CIO of Yuma District Hospital and Clinics, a critical access system in rural Colorado. "We can no longer run automatic updates from Microsoft as patches break our EMR. HIT software developers are constantly behind the Microsoft development curve," he added.
Going to to the CFO and asking for money to replace and upgrade, just because systems are end-of-life doesn't work according to Hawley. "The money simply isn't available to upgrade or replace", he states. "We don't have the man-power and we can't justify the re-licensing costs."
Jason is not alone in his experience. Many security and technology leaders in similar-sized facilities make the same complaint, where IT hardware is used till it breaks and software is run well beyond its vendor support.
So how can CIOs and CISOs of small or critical access facilities get away from having to support dangerous legacy hardware and software?
"The obvious solution is to move what you can to the cloud as soon as possible, but this presents challenges in itself," claims Richard Staynings with the HIMSS Cybersecurity Committee. Regulated data needs to be highly secured - especially if its being moved off-site. Consequently, many CEOs are reluctant to take the leap of faith needed to support this change.
However most cloud service providers probably do a better job of securing their customers' PII and PHI data than any critical access hospital is able to do anyway. Especially given small IT and security staffs, low levels of security expertise and limited budgets for upgrading. In fact for most critical access facilities migrating to the cloud is a major security improvement over the current state.
"Cloud providers have an added incentive to double-down on security as their reputation is highly dependent upon the security of their services," claims Staynings. "Educating the CEO and board to that fact is however a different issue and an often lengthy process that should probably be started sooner rather than later," he adds.
Moving the IT budget from a 'CapEx' model of asset purchase and depreciation over a long period of time to an 'OpEx' model of annualized services, will likely take some persuasion and the support of the CFO. However once approved will enable small providers to finally retire out-of-date and end-of-life assets.
"Cloud migration is not as straight forward as simply moving a VM from a data center hypervisor to a cloud one," claims Staynings. "There's a lot of planning and optimization that needs to take place to make sure that you don't get unexpected usage bills for running AV and other scans 24 by 7 on each of your systems. For that reason, if you've not done this before you should probably seek help"
In the mean time CIOs and CISOs have a duty to report the risks of legacy no-longer-supported hardware and software in the organization's Risk Register. This should include OT devices like hospital building management systems and medical devices which have even longer life-spans than IT systems like servers and workstations. Most of these OT devices have little to no built-in security and require compensating security controls such as network segmentation to protect themselves and the rest of the network from attack. But first you need to find these devices, which isn't easy. Fortunately there are some new tools from the likes of CyberMDX, ZingBox, ClearData and others entering the market to help you with your medical device asset inventory and initial threat assessment.
CEOs and their boards need to make well-informed risk management decisions to accept, transfer or remediate those risks. 'Ignoring' or 'avoiding' a risk should not be an option, which unfortunately is an all-too-common process being used today in small under-funded healthcare delivery facilities.
Jason Hawley is CIO, CSO and Biomed Director at Yuma Hospital and Clinics - a critical access system in rural Colorado. Richard Staynings is a Global Healthcare Security Strategist. Both currently serve as members of the HIMSS Cybersecurity Committee. Slides from their HIMSS presentation can be viewed or downloaded here.
Poor coordination between HIT vendors and Microsoft causes healthcare applications to break if patched or remain vulnerable if unpatched. Lack of support for current Windows operating systems means that new workstations and servers need to be downgraded in order to run EMR or other HIT applications.
"Windows 10 comes with .NET version 3.5 built in, however our EMR only supports .NET version 3.2, so when we upgraded our desktop OS from Windows 7 to Windows 10, we had to uninstall .NET and reinstall an old out-of-date version" claimed Jason Hawley, CIO of Yuma District Hospital and Clinics, a critical access system in rural Colorado. "We can no longer run automatic updates from Microsoft as patches break our EMR. HIT software developers are constantly behind the Microsoft development curve," he added.
Going to to the CFO and asking for money to replace and upgrade, just because systems are end-of-life doesn't work according to Hawley. "The money simply isn't available to upgrade or replace", he states. "We don't have the man-power and we can't justify the re-licensing costs."
Jason is not alone in his experience. Many security and technology leaders in similar-sized facilities make the same complaint, where IT hardware is used till it breaks and software is run well beyond its vendor support.
So how can CIOs and CISOs of small or critical access facilities get away from having to support dangerous legacy hardware and software?
"The obvious solution is to move what you can to the cloud as soon as possible, but this presents challenges in itself," claims Richard Staynings with the HIMSS Cybersecurity Committee. Regulated data needs to be highly secured - especially if its being moved off-site. Consequently, many CEOs are reluctant to take the leap of faith needed to support this change.
However most cloud service providers probably do a better job of securing their customers' PII and PHI data than any critical access hospital is able to do anyway. Especially given small IT and security staffs, low levels of security expertise and limited budgets for upgrading. In fact for most critical access facilities migrating to the cloud is a major security improvement over the current state.
"Cloud providers have an added incentive to double-down on security as their reputation is highly dependent upon the security of their services," claims Staynings. "Educating the CEO and board to that fact is however a different issue and an often lengthy process that should probably be started sooner rather than later," he adds.
Moving the IT budget from a 'CapEx' model of asset purchase and depreciation over a long period of time to an 'OpEx' model of annualized services, will likely take some persuasion and the support of the CFO. However once approved will enable small providers to finally retire out-of-date and end-of-life assets.
"Cloud migration is not as straight forward as simply moving a VM from a data center hypervisor to a cloud one," claims Staynings. "There's a lot of planning and optimization that needs to take place to make sure that you don't get unexpected usage bills for running AV and other scans 24 by 7 on each of your systems. For that reason, if you've not done this before you should probably seek help"
In the mean time CIOs and CISOs have a duty to report the risks of legacy no-longer-supported hardware and software in the organization's Risk Register. This should include OT devices like hospital building management systems and medical devices which have even longer life-spans than IT systems like servers and workstations. Most of these OT devices have little to no built-in security and require compensating security controls such as network segmentation to protect themselves and the rest of the network from attack. But first you need to find these devices, which isn't easy. Fortunately there are some new tools from the likes of CyberMDX, ZingBox, ClearData and others entering the market to help you with your medical device asset inventory and initial threat assessment.
CEOs and their boards need to make well-informed risk management decisions to accept, transfer or remediate those risks. 'Ignoring' or 'avoiding' a risk should not be an option, which unfortunately is an all-too-common process being used today in small under-funded healthcare delivery facilities.
Jason Hawley is CIO, CSO and Biomed Director at Yuma Hospital and Clinics - a critical access system in rural Colorado. Richard Staynings is a Global Healthcare Security Strategist. Both currently serve as members of the HIMSS Cybersecurity Committee. Slides from their HIMSS presentation can be viewed or downloaded here.
Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.