Healthcare organizations spend numerous time getting ready for cyberattacks, however far much less time confronting a quieter supply of publicity: the unsupported functions that stay of their environments lengthy after their major function has ended.
Legacy methods typically stay in manufacturing as a result of many organizations lack an ongoing utility administration program and a disciplined course of for deciding what to retire. Over time, mergers, EHR transitions, departmental purchases and fragmented possession create sprawling environments that make it harder to find out which functions must be decommissioned and archived. This “utility bloat” creates cybersecurity and compliance threat in methods many well being leaders could not totally respect.
How Legacy Programs Increase the Stakes
Legacy functions weren’t designed for contemporary identification controls, audit necessities, segmentation methods or patching expectations. Some can’t be patched in any respect. Others sit exterior regular monitoring and vulnerability administration as a result of they’re handled as exceptions, momentary holdovers or low-priority methods that by no means obtained retired.
Change Healthcare affords a vivid instance. Public testimony signifies the attackers used stolen credentials to log in to a legacy, “previous” Citrix distant entry portal that lacked multi-factor authentication (MFA). UnitedHealth’s CEO described Change as an older firm with older applied sciences that the corporate had been working to improve or combine after a previous acquisition. The full monetary affect of the assault is estimated at roughly $2.5 billion.
However the problem will not be merely that these methods are previous. It’s that many organizations already know a few of these functions can’t meet trendy safety expectations. As soon as management is aware of that and retains the system working anyway, it creates an lively management hole.
From a regulatory standpoint, that may considerably change the dialogue. If a company has a documented HIPAA safety program, and a system inside scope is thought to be unsupported, unpatchable or lacking required controls, leaving it in operation with out sufficient remediation or formal exception dealing with can begin to look much less like an unavoidable incident and extra like a failure to implement affordable and applicable safeguards. Regulators will ask whether or not the chance was recognized, whether or not management formally accepted it, and whether or not an actual remediation or decommissioning plan existed.
That scrutiny will not be hypothetical. The Workplace of Civil Rights (OCR) on the U.S. Division of Well being and Human Companies has already proven the place this could go. In March 2026, MMG Fusion, a healthcare enterprise affiliate software program firm, entered right into a settlement and corrective motion plan after a breach affecting roughly 15 million people, with OCR citing failures together with the dearth of an correct and thorough threat evaluation.
The insurance coverage implications will be simply as critical. If a breach traces again to a system that was out of compliance with inside coverage or inconsistent with the controls represented throughout underwriting, insurers could scrutinize the declare rather more aggressively. Even when protection will not be denied outright, disputes over whether or not identified dangers have been left unresolved can have an effect on payouts, premiums and future protection phrases.
Litigation threat follows the identical sample. Plaintiffs’ attorneys don’t want the group to be good. They want a transparent story. One of many worst tales in any breach case is that the group had a safety program, knew a system was dangerous, stored it on-line anyway, after which suffered an incident by means of that very same system. That story can even achieve traction in courtroom. In February 2026, the Delaware Supreme Courtroom allowed claims in opposition to Blackbaud to maneuver ahead based mostly on allegations tied to out of date servers and weak safety controls.
Behind the Firewall Is Not a Technique
One cause healthcare leaders underestimate this downside is that many of those methods are inside. They sit behind the firewall, so individuals deal with them as low threat. That may be a mistake. Inside-only doesn’t imply protected. Attackers regularly use weaker inside methods as stepping stones to maneuver deeper into the surroundings, achieve privileged entry, or receive the credentials, tokens and secrets and techniques wanted to achieve extra important belongings. For instance, Oracle Well being mentioned an attacker used compromised credentials to entry legacy Cerner migration servers that had not but been moved to Oracle Cloud and copied knowledge out of the surroundings.
Legacy methods are particularly harmful as a result of they have an inclination to outlive by means of a well-recognized mixture of threat acceptance, compensating controls and a few model of “we nonetheless want the info.” Which may be true. Nonetheless, there’s a important distinction between needing the info and needing the unique utility to stay stay in manufacturing.
The actual query is whether or not there may be nonetheless a defensible cause to maintain the applying itself working regardless of identified management deficiencies. If the reply is sure, management needs to be ready to point out why, beneath what formal approval, with what safeguards, and for the way lengthy. If the reply is not any, then retaining the system on-line solely widens the hole between the group’s said safety posture and the truth of its surroundings.
Why Healthcare Is at a Turning Level
Healthcare organizations can’t maintain defending yesterday’s functions in opposition to at the moment’s threats and expectations. At a time when cyberattacks have gotten extra frequent, extra disruptive and extra subtle, well being methods needs to be searching for each sensible alternative to cut back pointless publicity. That’s the reason CIOs and CISOs must make utility retirement a part of cyber resilience, not simply price administration.
It’s true that utility rationalization has traditionally been tough. For years, the archiving course of itself was typically too gradual and too cumbersome to make utility retirement and knowledge archiving really feel practical. Consequently, outdated methods stayed in manufacturing far longer than they need to have.
What has modified is that well being methods now not have to decide on between preserving entry to historic knowledge and persevering with to hold the chance of the unique utility. Higher instruments, extra trendy archiving approaches and managed providers for decommissioning are making it more and more doable to retire outdated methods in a approach that’s sooner, extra disciplined and extra sensible than it was even a couple of years in the past. That ought to make utility decommissioning and archiving a extra pressing precedence for healthcare leaders.
As a result of ultimately, the query will not be whether or not an previous system nonetheless incorporates helpful data. The query is whether or not there may be nonetheless a defensible cause to maintain that system working in manufacturing.
And in lots of instances, there may be not.
