Software And Hardware End-Of-Life Risks For Healthcare
By Afzal Bashir, Versatile Health
It may be hard to believe, but there are still a large number of outdated systems, such as Windows 7 for clients and Windows 2008 for servers, which are running key areas of companies' businesses. Worst yet, some are still using Windows XP, Windows Server 2003, Office 2007, Outlook 2007 and other proprietary software that have gone end of life, and there is no support for the software. Many organizations are also running hardware that is over 10 years old. Never mind having support on these assets, but it’s nearly impossible to find replacement components. We all know it is challenging to keep track of all IT assets (software/hardware) -- especially for businesses that are geographically segregated or do not have an enterprise-level asset management program, or a proper change management process.
Risks Of Unsupported Software And Hardware
We often find that it is the critical systems that run the unsupported software or hardware. While most IT teams know the importance of unsupported systems and life cycle management, competing priorities and the approach of “if it’s not broken” is often taken with legacy systems. It is challenging to take these systems offline for maintenance and even more so for migrations, especially where patient care can be impacted.
However, once these systems fall under an unsupported category, patient care could become even more vulnerable as the systems are no longer safeguarded from risks and become prone to failure. Healthcare organization should know that security, compliance, and compatibility are fundamental parts of business operations. Software and hardware EOL (end of life) should be part of an asset management and change management process to reduce patient care interruptions and financial risks.
Putting off the inevitable because of other priorities and not managing the assets could lead to a greater impact on patient care. Not addressing unsupported assets can be a major risk. For instance, it could cause incompatibility issues and/or hinder patient care. In addition, it could lead to a critical security issue, or worse a data breach.
Thinking Ahead For EOL
Planning for assets' end of life is never an easy endeavor, especially for proprietary systems. From a security perspective, doing nothing can lead to an unexpected and extended outage, delay in patient care, and potentially financial losses. Once the software or hardware vendor stops providing support, security patches and bug fixes, security can be compromised by bad actors who prey on exploiting these vulnerabilities, knowing the vulnerabilities cannot be patched.
And it’s not just the systems running the unsupported software that are vulnerable, the entire infrastructure becomes vulnerable at that point. When an un-patched system is compromised with an infected virus or malicious code, it becomes the ‘evil intruder’ on your infrastructure and can quickly be compounded on the network.
Viruses or malicious code often move laterally and can impact even the latest operating systems if those systems have not been patched or do not have the latest virus/malware protection. For example, leaving one outside door open in a building, all other offices in that building are at risk, if they are not individually locked.
Regulatory Compliance & HIPAA Regulations
Compliance and audits are another concern for healthcare systems. In fact, some regulations address unsupported systems directly, stating critical security patches must be installed in a specific time frame from the release date. HIPAA indicates sufficient security measures must be taken to reduce risk and vulnerabilities to a reasonable and appropriate level.
Healthcare organizations that continue to use the unsupported software or hardware may now find themselves out of compliance with regulatory requirements or regulated data mandates, and further discover they may fail their audits.
Removing software and hardware that is no longer supported greatly helps in meeting compliance and audit objectives. Often organizations focus on compliance after the audit, which translates to having some sort of a corrective action plan and can possibly lead to severe legal consequences or penalties if not addressed.
Then there are the compatibility issues -- there’s a chain reaction process here with unsupported software and hardware. If hardware is not upgraded, you may find you are not able to upgrade to the latest Operating System (OS). New versions of applications are innovative and are being continually released as well as optimized to work with the latest OS. This means using the latest applications on an old OS such as Windows XP or Windows Server 2003 will not always perform as intended or may not function at all. In which case, continuing to use a legacy application on an unsupported OS may lead to vulnerable systems and foregoing the latest features -- ultimately producing both poor performance and poor reliability.
Asset management and change management, along with planning, are key success factors to decommissioning an asset that is going end of life. Part of the program should be to keep a pulse with your vendors and ensure you are aware when assets will lose support. As part of the planning, it is important to have the business stakeholders and financial leaders involved early to ensure they are aware of the risks and are committed to the migration planning process.
The following factors must be considered when planning: pricing models, types of licenses, training required, frequency of upgrades, annual maintenance, implementation time frames, consulting services, hosting infrastructure, upgrade cycles, and total cost of ownership, to name just a few.
Planning For End Of Life Keeps The Business Running Smoothly
In conclusion, it’s paramount for organizations to address their unsupported systems early on and to work with their vendors and partners who can provide guidance and handle operability, reliability, and integrity for multiple technologies, equipment, software and hardware. This is further impacted by interoperable systems that support the use of multiple vendors and application versions.
About The Author
Afzal Bashir is CISO of Versatile Health.