October is Cybersecurity Awareness Month
Throughout the month we will take on cybersecurity subjects that continue to be challenging in healthcare today and ask our experts to weigh in.
Topic 3: Legacy Systems and the Expanding Attack Surface
Legacy systems’ security vulnerabilities and incompatibility with modern technology create a poorly managed attack surface that hackers can exploit. Outdated systems have security gaps, incompatibility issues, and diminishing vendor support.
Mohan Badkundri, Senior Vice President of Development, HSBlox
LinkedIn: Mohan Badkundri
Legacy systems have outdated software that makes it very difficult to protect them from hackers. The security vulnerabilities of such systems combined with their incapability with modern technology stacks creates security gaps that can easily be exploited. It is imperative to upgrade such legacy systems by creating Security awareness, Spam filters/Secure email gateways, Multifactor Authentication (MFA) in a Zero Trust framework, and enhanced anomaly logging. Zero Trust works on the principle that no user, device, or application should be trusted by default, even if they are within the network perimeter. A key first step in applying this model is the implementation of micro-segmentation to ensure that interactions between entities are highly secured by isolating different parts of the network. MFA is a pivotal tool in achieving Zero Trust Security. MFA requires users to submit two or more forms of authentication that fall under these four categories: Knowledge (PIN), Inherence (biometrics like fingerprint, voice, etc.), Device possession (USB key, token, etc.) and Location (via GPS tracking). The flexibility available to increase the number of factors required to authenticate identity makes MFA a core component of Zero Trust Architecture and is a must for any organization dealing with healthcare data.
Lesley Berkeyheiser, Senior Director of Accreditation Strategy and Development, DirectTrust
LinkedIn: Lesley Berkeyheiser
We already know that bad actors are using advanced Artificial Intelligence tools to continually probe for vulnerabilities in healthcare data exchange systems. We also know that small and mid-sized organizations remain the most exposed.
One emerging best practice in cybersecurity is segmentation in system architecture. Rather than relying on monolithic, antiquated enterprise systems, newer approaches break technology into modular components. This way, if one segment is compromised, it can be “quarantined” and isolated from the rest. It’s the digital equivalent of a clinical response: first, stop the bleeding.
Unfortunately, many older systems are still in use across the healthcare ecosystem. Their lingering security gaps, incompatibility issues, and waning vendor support only make it easier for attackers to exploit them.
Leigh Burchell (Altera Digital Health), Chair, EHR Association Executive Committee
LinkedIn: Leigh C. Burchell
Aging infrastructure in healthcare can mean, in some cases, a broad attack surface with inconsistent security maturity. The proposed overhaul of the HIPAA Security Rule offers a strategic roadmap that healthcare organizations can follow now to strengthen cybersecurity measures within their existing systems, if they choose to move forward proactively with adopting best practices. For example, adding encryption, multifactor authentication, and enhanced patching and vulnerability management to current software and connected interfaces can close doors to attackers.
However, concerning the Security Rule overhaul, the final mandated security safeguards must enhance resilience without overwhelming resource-constrained hospitals and providers. While providers should evaluate where it makes sense to invest in new core safeguards, the EHR Association continues to advocate for federal policies that support realistic, risk-based, industry-aligned approaches that reduce healthcare’s risk profile and strengthen defenses without adding undue burden or cost for provider organizations.
Jeremy Carriger, Chief Information Security Officer, Arcadia
LinkedIn: Jeremy Carriger
Legacy systems are among the toughest cybersecurity challenges in healthcare. Hospitals and clinics depend on high-cost equipment—like imaging machines, infusion pumps, and surgical tools—that often remain in service well past their supported lifecycles. Because rapid replacement isn’t financially or operationally feasible, outdated software and unsupported devices continue to operate within critical networks.
The real risk lies in how these older systems interact with the rest of the environment. When networks lack proper segmentation, a single compromised legacy device can provide a foothold for attackers to move laterally into higher-value systems. Even minor misconfigurations can open pathways for exploitation.
The best defense is to separate and watch these older systems closely. Health organizations should keep them on their own network, monitor how data moves between systems for anything unusual, and limit who can access them. When replacement isn’t possible, protections—like limiting connections, monitoring activity, and isolating older devices—can help reduce risk. With smart separation and constant visibility, hospitals can manage these risks while keeping care running smoothly.
Robert Eikel, Chief Information Security Officer & Privacy Officer, P-n-T Data Corp.
LinkedIn: Robert Eikel
Companies that move aggressively to retire legacy systems in favor of modern, serverless cloud architectures win by offloading vulnerability management onto their cloud provider, who can do it faster, cheaper, and more reliably. The savings in labor hours, and the improvements in security, are immense.
Even without the security implications, every legacy system is an operational liability. They are expensive to maintain, fragile, and roadblocks to digital transformation. Shifting to cloud-native platforms helps simplify operations, cut costs, and work more securely.
Shawn Fergason, Chief Technology Officer, MediQuant
LinkedIn: Shawn Fergason
Legacy applications are the ticking time bombs of healthcare cybersecurity – outdated, unsupported, and wide open to exploitation. Every obsolete application left running is an invitation for attackers to breach sensitive patient data. Decommissioning these systems and consolidating data into a secure archive isn’t just smart – it’s essential for survival in today’s threat landscape. Healthcare organizations must embrace this shift, not just as a technical fix, but as a bold commitment to safeguarding patient care and staying ahead of cybercriminals.
David Finn, HIT Advocate, Recovering HC CIO, Principal, Cyber Health Integrity, LLC
LinkedIn: David (Samuel) Finn
Legacy systems still power many critical functions in healthcare—from imaging and scheduling to billing and diagnostics—but they’re increasingly becoming security liabilities. With nearly half of mission-critical components approaching end-of-life, outdated servers and unsupported software lack the protections needed to defend against today’s sophisticated attacks. Meanwhile, the rapid growth of mobile health apps, remote workstations, IoMT devices, and multi-cloud environments is expanding the attack surface far beyond the data center. For healthcare leaders across all departments, modernization is no longer just about efficiency—it’s about resilience and patient trust. Efficiency without resilience is just another liability.
Jackie Mattingly, Senior Director of Consulting Services, Clearwater
LinkedIn: Jackie Mattingly
Hospitals aren’t holding onto legacy systems because they want to — it’s because they have to. When you’re working under constant budget pressure and focused on keeping patients safe and cared for, cybersecurity investments often have to wait. And in healthcare, we can’t just retire old systems when we’re done with them. We’re required to keep decades of patient records — and not just stored away, but accessible to support care at any point in a patient’s journey. That’s what makes this so complex.
These outdated systems often can’t be patched or integrated with modern security tools, and they quietly expand the attack surface. We continue to see breaches that start with old remote access tools or clinical systems that were never built for today’s connected environments.
As hospitals modernize — moving to the cloud, adopting SaaS platforms, layering in new devices — the gap between old and new grows wider. And that’s exactly where attackers thrive.
We know replacing everything isn’t realistic. It’s not just about cost — it’s about how deeply these systems are tied into clinical workflows, patient records, and daily operations. You can’t just unplug an old system when it’s still holding critical data or supporting care delivery. But that doesn’t mean we get to ignore the risk. We have to manage it. That means understanding what’s still running, minimizing its exposure, and monitoring it closely — even when budgets are tight.
And segmenting systems isn’t easy in healthcare. Clinicians need fast, seamless access to patient data wherever they are — in the Emergency Department, in radiology, or at the bedside. That interconnectedness is critical for patient care, but it also makes it harder to contain the risk.
At the end of the day, cybersecurity in healthcare is about protecting people — making sure patients get the care they need, when they need it, without delay or disruption.
Tim O’Brien, Vice President of Cloud Growth, Altera Digital Health
LinkedIn: Tim O’Brien
Outdated healthcare systems often can’t keep pace with modern security standards, leaving exploitable gaps in protection. Cloud hosting providers can mitigate these vulnerabilities by isolating legacy applications in secure, segmented environments and surrounding them with advanced threat detection and access controls. This approach allows organizations to maintain vital functions without exposing their core infrastructure to unnecessary risk. Ultimately, securing legacy systems is a key step in strengthening the overall resilience of healthcare technology.
T.J. Ramsey, Senior Director, Threat Operations, Fortified Health Security
LinkedIn: Tim R.
Legacy systems pose one of the biggest risks in healthcare cybersecurity. When you have outdated platforms, not only do they lack vendor support, but leaving them unpatched also makes them vulnerable to threats.
Even with patched legacy systems, organizations still face compatibility issues with many modern applications, so you can’t count on proper deployment. As a result, you may need to allocate more of your budget to troubleshoot these issues.
Because budget constraints are a significant issue in investing in cybersecurity programs and solutions, many healthcare organizations have no choice but to examine whether their legacy systems are replaceable. However, in reality, upgrading legacy systems often costs the same, if not more, than maintaining the associated application ecosystem to ensure compatibility.
To reduce risk, healthcare organizations should prioritize critical upgrades where exposure is most significant and then apply controls to counteract issues until a full replacement is possible.
Lance Reid, CEO, Telcion Communications Group
LinkedIn: Lance Reid
One of the biggest challenges we see in healthcare is the sheer size and complexity of the attack surface. You’ve got massive networks, tons of endpoints, mobile devices, multiple sites, and, let’s be honest, a lot of legacy systems still in use.
The problem with legacy tech is that it often can’t be updated with modern security patches. That means you’ve got machines connected to your network that are vulnerable by design. They’re not just old — they’re risky.
Combine that with high staff turnover and limited cybersecurity training during onboarding, and it’s no surprise these environments get targeted. We run penetration tests every week, and we crack weak passwords and find unprotected systems all the time.
The fix? Layered protection. Monthly awareness training. Outsourced security monitoring. And a real incident response plan so you’re not scrambling when something goes wrong.
If you’re still running on legacy tech and hoping for the best, it’s time to get serious.
Clay Ritchey, CEO, Verato
LinkedIn: Clay Ritchey
Legacy systems pose one of the biggest vulnerabilities in healthcare cybersecurity. Outdated platforms have security gaps, limited vendor support, and don’t integrate well with modern technology and security practices, which increases the attack surface. Many phishing schemes target legacy technology users, exploiting antiquated security workflows such as password resets and exposing organizations to significant risk of breaches. Digital identity verification is a good starting point to provide secure password resets in these highly vulnerable legacy system workflows that require help desk support. Next-gen MDM solutions not only strengthen the data layer by unifying fragmented records, enriching them, and creating a single source of truth that applications and users can trust, but also secure access with digital identity verification tools. With this identity foundation in place, organizations can lower risk and extend the lifespan of their legacy investments.
Gary Salman, CEO and Co-Founder, Black Talon Security
LinkedIn: Gary Salman
Legacy systems create significant operational fragility and security blind spots across healthcare. Outdated technologies, from clinical interfaces and imaging modalities to revenue cycle management platforms, not only hinder modernization but also expose organizations to severe risks. When these systems lack vendor support or cannot run modern security tools, they become persistent vulnerabilities that threaten care continuity and expose vast amounts of protected health information (PHI). This forces leaders to manage a complex environment where critical functions depend on insecure infrastructure.
Addressing this challenge requires moving from assumptions to a strategy based on quantifiable risk. The first step is a comprehensive asset inventory to identify every device, including those with unsupported operating systems or firmware. By tagging assets based on their clinical impact, organizations can prioritize resources effectively. A centralized platform that gathers objective telemetry can translate this complex data into a clear, measurable cyber risk score, empowering executives to make informed decisions when assessing the risk of legacy systems.
Effective mitigation combines modern tools with disciplined processes. Actionable measures include isolating legacy systems through network segmentation, applying least-privilege access rules, and implementing high-frequency vulnerability scanning to find weaknesses quickly. For systems that can support them, advanced endpoint detection and response (EDR) and application allow-listing provide robust layers of defense. For those that cannot, compensating controls are essential. These efforts should be augmented by a Managed Detection and Response (MDR) service that provides 24/7 human-led threat monitoring.
Relying solely on internal IT teams or an MSP, whose primary focus is uptime, is insufficient for proactive security. Ultimately, healthcare organizations must balance long-term modernization with immediate, aggressive hardening of their existing footprint to ensure patient safety and data integrity.