Introduction
Healthcare relies on technology, but not all technology meets current demands. Many organizations that are business associates or covered entities, such as academic medical centers, community hospitals, smaller practices, principal investigators at research institutions, and vendors, still use outdated medical devices, often called legacy systems. These include older infusion pumps, patient monitors, and imaging equipment, some of which lack active software support. Combined with the rise of telemedicine, these systems present significant cybersecurity risks to electronic protected health information (ePHI). Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) regulations, ensuring compliance is essential to safeguard patient data, maintain operations, and avoid penalties.
Risks Posed by Legacy Systems
Legacy systems are common in healthcare settings due to their durability, but this longevity creates vulnerabilities. Software security patches and updates often cease while hardware remains in use, leaving devices with security weaknesses and exposed to cyber threats.
These vulnerabilities challenge compliance with HIPAA and HITECH requirements for academic medical centers managing patient care and research, community hospitals with limited budgets, or vendors supplying technology. Failure to address them risks data breaches and operational disruptions.
Telemedicine and Added Complexity
The growth of telemedicine further complicates this landscape. Legacy systems often integrate with telehealth platforms; if unsecured, they can serve as entry points for breaches. For example, in 2023, an outdated server compromised patient ePHI in a telehealth-related breach. HIPAA and HITECH regulations apply equally to virtual and in-person care, requiring significant protections regardless of delivery method.
Regulatory Framework: HIPAA and HITECH
HIPAA’s Security Rule (45 CFR Part 164, Subpart C) mandates that covered entities and business associates, including vendors, implement safeguards to protect ePHI from reasonably anticipated threats. This includes technical measures like encryption and administrative steps like risk assessments. The Privacy Rule ensures patient data remains confidential and is used appropriately. HITECH, enacted in 2009, strengthens these requirements with breach notification obligations and expectations for secure technology adoption.
A proposed update from the U.S. Department of Health and Human Services (HHS) to the Security Rule, published January 6, 2025, with a comment period that closed March 7, 2025, seeks to enhance these standards.[1] It proposes mandatory security measures, annual risk analyses, and increased cybersecurity focus, with an estimated first-year cost of $9.3 billion for regulated entities. While its final form, if any, remains uncertain, the emphasis on cyber threats underscores the urgency of addressing legacy systems.
On April 1, 2025, the House Committee on Energy and Commerce heard testimony highlighting the issue of healthcare cybersecurity, noting that without better tracking, healthcare entities remain susceptible to cyberattacks.[2]
Noncompliance carries significant consequences. A breach from an unpatched legacy system or telehealth platform could lead to HITECH notification requirements and HIPAA penalties, with fines reaching $1.5 million per violation category annually.
Consequences of Inaction
The HHS reported over 700 data breaches in 2024,[3] affecting millions of patients, with many linked to vulnerabilities in outdated technology. A 2021 ransomware attack, possibly initiated through a legacy device, disrupted a hospital’s operations for days, delaying care and incurring substantial costs.[4] Research institutions face the loss of critical trial data, while vendors risk contractual and reputational damage if their technology fails to meet standards. Telemedicine breaches amplify these issues, eroding patient trust alongside regulatory compliance.
Steps to Ensure Compliance
Addressing these risks requires a structured approach, such as the following examples:
- Device Inventory: Conduct a thorough audit of all medical devices, including those supporting telehealth, to identify software versions and support status.
- Risk Assessments: Perform annual assessments as the Security Rule requires to evaluate vulnerabilities in legacy and telehealth systems.
- Network Segmentation: Isolate legacy devices from critical networks, including telehealth platforms, to limit breach impact.
- Update or Replace: Apply available software patches or plan replacements for unsupported systems, balancing cost and risk.
- Staff Training: Educate employees on security practices, a Security Rule requirement, to reduce human error in both physical and virtual settings.
- Vendor Oversight: Verify that business associates’ technology complies with HITECH standards, particularly for telehealth integration. It is not sufficient that business associates are “certified” as HIPAA or HITECH compliant by a third party. The technology that consultants use should also be included when considering vendor technology.
These measures enable organizations to meet regulatory requirements and protect ePHI effectively.
Compliance Education
Legacy systems and telehealth do not have to compromise compliance. With compliance education key in evaluation programs for cybersecurity and compliance with HIPAA and HITECH, CITI Program offers HIPAA and HITECH for Business Associates, which provides targeted guidance. Participants can create practical checklists for assessing telehealth risks tied to legacy technology, drawn from Security Rule standards using the HIPAA and HITECH for Business Associates course, as well as review real-world examples. A course that works together with the HIPAA and HITECH series is Foundations of Telehealth, which offers a step-by-step, practical framework for technical considerations for ePHI in virtual care settings.
Summary
CITI Program’s HIPAA and HITECH for Business Associates course equips business associates and covered entities, such as academic medical centers, principal investigators at research institutions, hospitals, smaller entities, research institutions, and vendors with actionable tools. Due to the risks posed by legacy technology, business associates and covered entities need to begin with an inventory and risk assessment against HIPAA and HITECH of all technology utilized.
References
1. HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information, January 2025. Accessed April 21, 2025.
2. Oversight and Investigations Subcommittee: “Aging Technology, Emerging Threats: Examining Cybersecurity Vulnerabilities in Legacy Medical Devices,” April 1, 2025. Accessed April 21, 2025.
3. “2024 US Healthcare Data Breaches: 720 Incidents, 186 Million Compromised User Records,” January 2025. Accessed April 21, 2025.
4. “Scripps Health network still down, 2 weeks after cyberattack,” May 17, 2021. Accessed April 21, 2025.
