Healthcare organizations spend plenty of time making ready for cyberattacks, however far much less time confronting a quieter supply of publicity: the unsupported purposes that stay of their environments lengthy after their major function has ended.
Legacy techniques typically stay in manufacturing as a result of many organizations lack an ongoing software administration program and a disciplined course of for deciding what to retire. Over time, mergers, EHR transitions, departmental purchases and fragmented possession create sprawling environments that make it harder to find out which purposes must be decommissioned and archived. This “software bloat” creates cybersecurity and compliance threat in methods many well being leaders might not absolutely recognize.
How Legacy Programs Increase the Stakes
Legacy purposes weren’t designed for contemporary id controls, audit necessities, segmentation methods or patching expectations. Some can’t be patched in any respect. Others sit exterior regular monitoring and vulnerability administration as a result of they’re handled as exceptions, short-term holdovers or low-priority techniques that by no means obtained retired.
Change Healthcare gives a vivid instance. Public testimony signifies the attackers used stolen credentials to log in to a legacy, “previous” Citrix distant entry portal that lacked multi-factor authentication (MFA). UnitedHealth’s CEO described Change as an older firm with older applied sciences that the corporate had been working to improve or combine after a previous acquisition. The full monetary affect of the assault is estimated at roughly $2.5 billion.
However the challenge shouldn’t be merely that these techniques are previous. It’s that many organizations already know a few of these purposes can not meet trendy safety expectations. As soon as management is aware of that and retains the system operating anyway, it creates an energetic management hole.
From a regulatory standpoint, that may considerably change the dialogue. If a corporation has a documented HIPAA safety program, and a system inside scope is understood to be unsupported, unpatchable or lacking required controls, leaving it in operation with out ample remediation or formal exception dealing with can begin to look much less like an unavoidable incident and extra like a failure to implement affordable and acceptable safeguards. Regulators will ask whether or not the chance was recognized, whether or not management formally accepted it, and whether or not an actual remediation or decommissioning plan existed.
That scrutiny shouldn’t be hypothetical. The Workplace of Civil Rights (OCR) on the U.S. Division of Well being and Human Companies has already proven the place this could go. In March 2026, MMG Fusion, a healthcare enterprise affiliate software program firm, entered right into a settlement and corrective motion plan after a breach affecting roughly 15 million people, with OCR citing failures together with the dearth of an correct and thorough threat evaluation.
The insurance coverage implications could be simply as severe. If a breach traces again to a system that was out of compliance with inner coverage or inconsistent with the controls represented throughout underwriting, insurers might scrutinize the declare far more aggressively. Even when protection shouldn’t be denied outright, disputes over whether or not identified dangers had been left unresolved can have an effect on payouts, premiums and future protection phrases.
Litigation threat follows the identical sample. Plaintiffs’ attorneys don’t want the group to be good. They want a transparent story. One of many worst tales in any breach case is that the group had a safety program, knew a system was dangerous, stored it on-line anyway, after which suffered an incident by that very same system. That story may acquire traction in courtroom. In February 2026, the Delaware Supreme Court docket allowed claims towards Blackbaud to maneuver ahead based mostly on allegations tied to out of date servers and weak safety controls.
Behind the Firewall Is Not a Technique
One cause healthcare leaders underestimate this drawback is that many of those techniques are inner. They sit behind the firewall, so folks deal with them as low threat. That could be a mistake. Inner-only doesn’t imply protected. Attackers often use weaker inner techniques as stepping stones to maneuver deeper into the setting, acquire privileged entry, or receive the credentials, tokens and secrets and techniques wanted to succeed in extra important property. For instance, Oracle Well being stated an attacker used compromised credentials to entry legacy Cerner migration servers that had not but been moved to Oracle Cloud and copied information out of the setting.
Legacy techniques are particularly harmful as a result of they have a tendency to outlive by a well-known mixture of threat acceptance, compensating controls and a few model of “we nonetheless want the information.” Which may be true. Nonetheless, there’s a vital distinction between needing the information and needing the unique software to stay dwell in manufacturing.
The actual query is whether or not there may be nonetheless a defensible cause to maintain the applying itself working regardless of identified management deficiencies. If the reply is sure, management must be ready to indicate why, below what formal approval, with what safeguards, and for a way lengthy. If the reply is not any, then maintaining the system on-line solely widens the hole between the group’s said safety posture and the fact of its setting.
Why Healthcare Is at a Turning Level
Healthcare organizations can not hold defending yesterday’s purposes towards at this time’s threats and expectations. At a time when cyberattacks have gotten extra frequent, extra disruptive and extra refined, well being techniques must be on the lookout for each sensible alternative to cut back pointless publicity. That’s the reason CIOs and CISOs must make software retirement a part of cyber resilience, not simply value administration.
It’s true that software rationalization has traditionally been troublesome. For years, the archiving course of itself was typically too sluggish and too cumbersome to make software retirement and information archiving really feel lifelike. In consequence, outdated techniques stayed in manufacturing far longer than they need to have.
What has modified is that well being techniques now not have to decide on between preserving entry to historic information and persevering with to hold the chance of the unique software. Higher instruments, extra trendy archiving approaches and managed providers for decommissioning are making it more and more attainable to retire outdated techniques in a means that’s quicker, extra disciplined and extra sensible than it was even a number of years in the past. That ought to make software decommissioning and archiving a extra pressing precedence for healthcare leaders.
As a result of in the long run, the query shouldn’t be whether or not an previous system nonetheless accommodates helpful data. The query is whether or not there may be nonetheless a defensible cause to maintain that system operating in manufacturing.
And in lots of instances, there may be not.
