Managing Risk in the NHS Starts with Retiring Legacy Applications

Written by

In October, NHS England released its 2017/2018 Data Security and Protection Requirements, which sets out ten data security standards recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care. This comes in the wake of a National Audit Office (NAO) report criticizing the NHS for its handling of the WannaCry attack earlier this year.

One of those data security standards calls for the NHS to “remove, replace or actively migrate or manage the risks associated with unsupported systems by April 2018.” While this largely refers to outdated operating systems, we would argue that the reason these outdated operating systems persist is often because legacy applications depend upon them. To achieve the aims of Dame Caldicott’s recommendation, it should be these legacy applications that are tackled first.

Obsolete applications depend on outdated operating systems
It’s now widely acknowledged that Trusts running a Windows XP operating system, for example, are placing their organizations at risk of threats specifically designed to exploit flaws for which Microsoft no longer issues patches.

According to NHS Digital, all NHS Trusts and organizations impacted by the WannaCry ransomware attack “had unpatched, or unsupported Windows operating systems.” 

To demonstrate the scale of the problem, a Freedom of Information Act (FOI) request at the end of last year revealed that 90% of NHS Trusts are still running Windows XP, largely because legacy applications and devices are unable to use later versions of Windows. 

Given that many Trusts maintain outdated operating systems to support legacy applications, surely this is a good place to start when it comes to addressing cybersecurity risks? It’s not just a cyber-attack that the NHS needs to be wary of. Let’s not forget that older technologies, whether hardware or software, are also more prone to failures, outages and/or corruptions - all that can impact hospital operations and create clinical risk. 

Legacy applications commonplace
Despite significant security and clinical risks, as well as operational and cost inefficiencies, it’s still commonplace for NHS Trusts to continue maintaining outdated and unsupported applications. 

From conversations with our customers, we know that some healthcare organizations are running up to 500 legacy applications behind the scenes, despite their strategy for the Electronic Patient Record (EPR) to be the primary method of accessing clinical content. In some cases, this correlates to as many as one legacy application per bed in a hospital.

We therefore welcome the latest data security standards, which recognize that obsolete legacy applications and operating systems pose a significant threat to the NHS. At BridgeHead, we believe that far more attention should be given to addressing the vulnerabilities from legacy applications to avoid or minimize the effects of cyber-attacks, like WannaCry. 

Why are hospitals preserving these obsolete applications? 
From our own research, we know that many hospitals keep old applications running to preserve patient data. Often this data is never migrated to a new application or placed into a central archive where it can be shared. For the most part, simply discarding old data is not an option because it may contain information deemed to have clinical value. 

Concerns around regulations, governance and compliance are also a key consideration. In fact, often hospitals think they are ‘playing it safe’ when it comes to maintaining legacy applications (and their data), but this raises some doubt over their awareness of the alternatives. Many wrongly believe that there is no easy way to extract data from legacy systems, so they continue to preserve them. 

Patient data can and should be viewed independently from the applications that create it, not least for security reasons. At BridgeHead, our goal is to free the data from the application and/or storage on which it resides, so that it can be accessed and used in whatever way the hospital wishes, simultaneously closing security loopholes. 

By adopting an agnostic and separate repository for all historic and referenceable patient data, such as an Independent Clinical Archive (ICA) that sits alongside and integrates with the EPR or other critical system, Trusts are free to retire outdated applications and remove their reliance on unsupported software.

Make patient history part of your patient record
Leaving aside the risks associated with running obsolete software and applications for a moment, there are a number of additional benefits to retiring legacy systems.

Firstly, improved patient care. A bold statement perhaps but, by unlocking data that resides in obsolete applications and making it available as part of the EPR (or other system), clinicians gain easy access to a 360-degree view of current and historic information. This can then be easily filtered and used to make more informed decisions when consulting, diagnosing and treating patients.

Secondly, when data is locked within legacy applications, it is very difficult for healthcare organizations to satisfy their regulatory and compliance obligations regarding patient information. Ask most information managers how easy it is to understand the nature of the data held in these applications, never mind audit and report against it, and you’ll see the frustration as much of this is still conducted manually. 

So, imagine the difficulty in fulfilling FOI requests; it is almost impossible to know if you’ve managed to get all of the data you need. With the 2018 changes coming from the General Data Protection Regulation (GDPR), healthcare organizations will have increased responsibility - and face far greater penalties - for failure to manage their data appropriately. However, by extracting data from legacy applications and making it available as part of the patient record through an independent clinical archive, hospitals will find it much easier to search, find and access the information they need to meet their governance and compliance commitments.

Consider the real cost of legacy applications
Finally, there is also the potential for significant cost savings. These can come in many forms. Take, for example, the reduction in the cost of licensing, maintenance and infrastructure after retiring an application, or the decrease in manpower devoted to managing those applications. Yet, it’s the financial, clinical and operational costs that could otherwise have been avoided or, at least mitigated, that offer the greatest savings.

Prevention better than cure
At best, holding patient data in multiple departmental silos leads to inefficiencies in patient care; at worst, it poses a significant security risk to the NHS. One of the most effective actions healthcare organizations can take is to replace or retire unsafe legacy applications. 

With ransomware attacks regularly hitting the headlines – WannaCry wasn’t the first and it definitely won’t be the last – its a case of when not if the next attack happens! If vulnerable systems cannot be protected they should be removed; prevention has to be better than cure in tackling cybercrime. We’re hopeful that the 2017/2018 Data Security and Protection Requirements will go some way towards achieving this.

What’s hot on Infosecurity Magazine?