Why unsupported software is a risk to healthcare organizations

Unsupported software is a risk to healthcare organizations mainly due to its lack of ongoing security updates and technical support. When software reaches its end of life (EOL), it no longer receives patches for vulnerabilities, making it an easy target for cybercriminals who can exploit these weaknesses to gain access to protected health information (PHI). This invites compliance issues and operational inefficiencies in healthcare organizations. 

What is unsupported software? 

Unsupported software refers to any software that no longer receives updates, patches, or technical support from its developer. According to an article published in JITEKI, “support' means making new improvements and, more importantly fixing bugs (including security-related bugs). In the current situation, software can inevitably be released and left as it is without such kind of support. This is because the environment where such software is running is dynamically changing, so the software needs to adapt to those changes. Without support in the form of fixes, the software will degrade, and the involved degradation of quality may be related to security lapses and poses a risk to users of such website.”

While it has reached its EOL, it can still function but becomes stagnant. With no new features or fixes for bugs and vulnerabilities, the software becomes an entry point to the organizations systems. For example, operating systems like Windows XP and Windows 7 became unsupported after their EOL dates, leaving users exposed to risks unless they upgraded. 

The risks that come with using unsupported software 

1. Unsupported software in medical devices can lead to compromised patient care, operational disruptions, and loss of trust. For example, devices like MRI machines, insulin pumps, and defibrillators with outdated software are increasingly targeted.
2. Inadequate investment in updated systems can lead to disruptions that force staff to revert to manual workflows, resulting in delayed or missing lab results, medication errors, and lapses in routine patient safety checks.
3. Reliance on vendors using outdated software can expose healthcare organizations to breaches through third-party choke points. A breach through a vendor can disrupt various processes, such as verifying patient eligibility, submitting claims, and filling prescriptions.
4. Older systems may be incompatible with advanced security solutions like endpoint detection or real-time threat monitoring.
5. Using unsupported software can lead to non-compliance with regulatory requirements, potentially resulting in legal consequences and financial penalties. HIPAA requires sufficient security measures to reduce risk and vulnerabilities.
6. Unsupported systems are more prone to crashes, errors, and data corruption.
7. The mounting risk is evident across medical device firmware, software applications, and operating systems, creating a large footprint of access vulnerability.
8. Many legacy systems can no longer be updated or patched because manufacturers no longer support them, making them prime targets for attacks.
9. Several vulnerabilities can be categorized as remote-control execution or privilege escalation exploits, where malicious actors can initiate remote control over compromised targets.
10. Legacy software kept running in read-only mode is susceptible to corruption, breakdown, cyberattack, or even internal threats.
11. Vendor dependence created by unsupported software usage is a business continuity risk.
    
    

How unsupported systems contribute to cybersecurity threats

Cybercriminals actively monitor for unsupported software, as it provides an easy entry point into an organization’s network. Once the system is compromised, attackers move laterally across networks to access and steal data. The risk this presents is increased due to the reliance on legacy systems and medical devices deeply integrated into clinical workflows. 

Many of these devices run on outdated operating systems that cannot be easily upgraded without disrupting patient care. The dilemma for healthcare organizations. Replacing the systems is costly, but the continued use introduces cybersecurity vulnerabilities that could result in a violation of HIPAA. 

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What types of software are subject to HIPAA regulations?

Any software that collects, stores, transmits, or processes PHI is subject to HIPAA. This includes software used by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates.

If a software company only has access to PHI but doesn't store it, does HIPAA still apply?

Yes, if a software company interacts with a solution that gathers and processes personal identifiers of patients, HIPAA standards apply. 

How does HIPAA's Privacy Rule affect software development in terms of patient access to their data?

The Privacy Rule requires that patients must be able to access, inspect, and request copies of their PHI.