How to Protect Legacy Hospital Systems and Patient Data from Cyberthreats

Apr 27, 2021 at 12:21 am by pj




Cyber assaults on healthcare organizations are intensifying at a time when resources and staffing are stretched thin by the pandemic, underscoring the need for reliable cybersecurity.

According to cybersecurity firm Imperva, cybercriminals targeted the healthcare industry with about 187 million attacks per month globally in 2020, up 10 percent from the previous year. That averages about 498 incidents per organization every month. At least 560 facilities in the sector experienced ransomware attacks last year, Emsisoft reported.

How can hospital risk managers and IT officers improve their defenses against these pervasive threats? Upgrading to the latest technology typically offers the best protection against known threats, but budgets may not allow rapid replacement of a hospital's legacy systems. Many older systems remain rock-solid performers, making it more challenging to build support within the organization for replacement and associated data migration.

Fortunately, there are many ways to protect legacy systems while planning a migration to more current platforms. Be sure to give equal consideration to protecting the network and endpoint devices and awareness training for all team members.

Here are essential areas every hospital should address.


Network Security Necessities

Segment networks to limit access. Reduce hackers' access or malware opportunities by implementing virtual local area networks (VLAN) that separate the core network from laptop and tablet endpoint devices. Couple these with internal firewalls that block traffic by default and then grant only enough access for systems to work together.

Control wireless traffic. In general, it is a good idea to exclude users on wireless networks from accessing internal systems. At a minimum, require password-protected, wireless equivalent network (WEP) connections for Wi-Fi users, such as a virtual private network (VPN) using multifactor authentication (MFA). Limit wireless access to the network to specific applications and consider requiring users to have authentication certificates on their devices.

Implement network watchdogs. Protect any web servers with web application firewalls (WAF), which are designed to detect security bypass attempts such as cross-site scripting or structured query language (SQL) injection. These protections are especially important for legacy systems. Isolate edge devices such as web-enabled building mechanical systems on a separate network, if possible. Protect the edge behind a firewall with intrusion prevention system/intrusion detection system (IPS/IDS) capability (found on most modern, next-generation firewalls).


Endpoint Device Strategies

Patch systems to the latest version. Even if the latest patch available from the manufacturer is years old, it will offer more protection than earlier versions.

Conducting vulnerability assessments. Identify and turn off any unnecessary (and typically unintended) services running on a host. This reduces the number of potential exploits in a system that can no longer receive manufacturer-provided updates.

Maintain a ransomware defense. Ensure each device has antivirus/antimalware and install IPS/IDS software as an extra layer of security. Threat detection agents typically isolate the endpoint device from the network, giving the IT team the opportunity to clean the device of threats before data exfiltration occurs. It is also essential to have a dedicated response team for endpoint incidents. If the organization lacks a security operations center, consider arranging one as a service from a third-party incident responder.

Stick to a schedule. Institute regular backups of systems for use in recovery from a disaster or cyberattack. Enforce a strong password policy and require regular password rotations for any administrative accounts.

Security Awareness Considerations

Educate staff on cyber dangers and precautions. The weakest link in any data protection strategy is human error. For healthcare providers, the impact of human error is often exfiltration, data exportation, and extrusion, data leakage, or data theft. The loss of patient health or financial information can pose serious problems for organizations, while the patient can suffer effects ranging from identity theft to life-threatening situations. That's why employees need the training to help them recognize how to avoid attempts to infiltrate hospital systems or access protected data. Staff should be aware of the many threats associated with their emails and browsing, accessing hospital networks and systems through personal devices, and social engineering.

Follow phishing trends. Criminals are growing more sophisticated than ever with phishing. These typically include compelling phone calls, emails, and links to websites that not only look like the hospital's site but also have a web address that closely mimics it. With that level of communication and convincing visuals, many employees will unwittingly hand over their credentials unless they learn to recognize suspicious communications. Most phishing campaigns involve an incentive such as a gift card ‘from the company’ rewarding them for their hard work. Educating employees on how their human resources department delivers incentives will help them avoid this and other traps.

Test preparedness. Engage with a third party to launch a Red Team phishing campaign against your workforce. These simulated phishing messages and appeals will help employees identify potentially harmful emails more easily while assisting managers in identifying individuals who need additional training.

Healthcare organizations cannot afford to neglect their cyber defenses. The risks of monetary loss, fines, and reputational damage are simply too significant. But with the right technology, practices, and awareness training, healthcare providers can effectively manage cyber risk without compromising patient care.

Heather Annolino, RN, MBA, CPHRM, is the Senior Director of Healthcare Practice at Ventiv, where she plays an integral part in developing Ventiv’s Patient Safety solutions. Visit