- Legacy systems can be a thorn in the side of health IT infrastructure professionals. Dated systems may still function but can be a huge liability when it comes to security and connectivity.
The general attitude of health IT is “if it ain’t broke, don’t fix it,” which can cause serious problems down the road. While this attitude could be harmful, it’s not unfounded and it doesn’t stem from bad intentions.
Healthcare organizations are often faced with strict budgets making adopting new tools difficult. Many advanced health IT infrastructure solutions will give organizations a higher ROI over time, but fronting the cost to implement them can be difficult.
Compliance also factors into this attitude. IT administrators know that the machines in place are already compliant. Taking these legacy machines out and replacing them requires certification that takes time and resources.
Changing health IT systems may also take a toll on staff. Many advanced tools and machines, like cloud or virtualization, for example, function very differently that legacy tools and machines.
This may require additional training for IT staff or new staff with specific experience to manage and monitor new systems. IT experts in the healthcare space can be expensive to hire because they are in high demand. This added expense can be hard to justify especially when there isn’t anything technically wrong with the current system.
These points may seem like enough justification to leave legacy systems in place, but it can cause serious security vulnerabilities. Waiting until a system is broken before fixing it puts patient data at risk. This reactive approach compromises data, interrupts workflow, and is potentially avoidable.
“Organizations spend a lot of effort continually trying to re-engineer legacy systems that are broken,” Health2047 Managing Director of Technology Charles Aunger told HITInfrastrucutre.com.
A lot of the time, “fixing” legacy solutions results in Band-Aid repairs and workarounds that don’t fully address the problem. One of the biggest challenges organizations face is identifying legacy systems that are vulnerable and taking the steps to replace those systems before they cause damage.
Organizations should take a proactive approach rather than wait for something to go wrong. While end users may not immediately realize when upgrades are made, they will notice when something goes wrong because of a system failure. When end users are unable to do their jobs because a legacy system failed, it hurts the provider organization as a business and can potentially harm patients.
Legacy systems are not restricted to hardware issues. Unpatched software can cause just as much or even more damage because it tends to have a wider reach across an organization.
Aunger used the recent WannaCry ransomware attack as an example of a breach that affected healthcare organizations because of a vulnerability in Microsoft Windows. Many organizations did not update their Windows operating systems with the patch Microsoft released after the attack to prevent further damage.
“Healthcare organizations around the world were saying things like, ‘we didn't apply the patch because it wasn't broken,’” Aunger recalled. “But it was broken. Microsoft defined it was broken.”
Healthcare organizations are often not quick to upgrade operating systems. WannaCry brought this issue to the forefront. Some organizations couldn’t install the patch because they were still running machines on Windows XP, which forced Microsoft to issue a separate patch.
Windows XP did work for what these organizations were using it for, but it still needed to be upgraded.
“Change is hard,” Aunger stated. “Changing applications, upgrading features, and upgrading functionality takes time.”
“Organizations are trying to bite the whole apple instead of breaking down upgrades into smaller, projects that are easier to digest,” he continued. “They tend to see the whole technology system as one big heartbeat. They think, ‘if it isn't broken, don't fix it and don't break it.’”
There is tremendous pressure on health IT departments when they’re faced with tools they know are underperforming because they’re old and the risk involved with installing new systems.
“Most IT employees worry about changing something just for the sake of changing it,” said Aunger. “When you really get down into the situation, their worry is more about the impact and the systems going down than actually breaking.”
Organizations that don’t update patches and decide to move on to more advanced systems can be their own worst enemy. For example, if a healthcare organization moving to a new picture archiving and communication system (PACS) did not perform the proper maintenance and patches through the lifecycle of their legacy PACS, they can end up breaking the system when they finally do go to upgrade.
Organizations owe it to their IT staff, end users, and patients to try and provide the best digital tools. Coming up with a plan to replace legacy systems with more advanced ones will allow organizations to become more advanced and offer a better clinician and patient experience.