Legacy Systems and Cybersecurity: What Rural Hospitals Need to Do

In today’s rapidly evolving healthcare landscape, legacy systems in rural healthcare systems are still common. A 2021 Healthcare Information and Management Systems Society (HIMSS) survey reported that 73% of healthcare providers still used legacy systems, mainly due to budgetary constraints. 

In this post, we outline the cybersecurity risks associated with legacy systems and devices and provide guidance on how to minimize those risks. Additionally, we include a breach case study to illustrate the risks in action.

Legacy systems include

• Unsupported operating systems (e.g., Windows 7, XP)

• Medical devices or equipment with no upgrade path

• Systems that cannot run modern security tools

• Systems that use software with outdated protocols or hard-coded credentials.

Legacy systems introduce cybersecurity risks

• Owing to a lack of patches, known vulnerabilities remain open

• Weak access control or outdated authentication methods

• Incompatibility with modern encryption or security logging

• Easier lateral movement of malware if compromised

• Can serve as hidden backdoors into otherwise secure networks

• Ransomware attacks propagated through old Windows systems

Compliance Risks

Hospitals relying on legacy systems face a heightened risk of falling out of compliance with data protection regulations like HIPAA and PCI.

Minimizing risks from legacy systems and devices

Some of the steps you can take to reduce cybersecurity risks are:

1. Segment legacy systems on isolated networks

2. Implement strict access controls and MFA

3. Use compensating controls like monitoring and intrusion detection

4. Inventory and classify all legacy assets

5. Apply virtual patching or external protections

6. Disable unused services and ports

7. Plan and budget for phased decommissioning

8. Restrict internet access for unsupported devices

9. Enforce logging and centralized monitoring

10. Harden legacy endpoints

11. Secure medical devices through vendor collaboration

12. Back up critical systems and data frequently

Pay special attention to EHR systems

Here are a few ways to help reduce cybersecurity risks from legacy EHR systems:

1. Isolate legacy EHR components from public or open networks

2. Ensure data encryption at rest and in transit

3. Limit database access via least-privilege controls

4. Apply logging and centralized monitoring around the EHR environment

5. Enforce timeout and auto-logout settings for all EHR sessions

6. Use secure middleware for third-party integrations

7. Conduct regular access reviews and audit trails

8. Work with the EHR vendor on update or migration planning

9. Protect EHR access points (e.g., workstations, kiosks)

Example of a rural health system that suffered a data breach

Aspire Rural Health, a Michigan-based healthcare provider, suffered a cyberattack in which the BianLian ransomware group infiltrated its systems between November 4, 2024, and January 6, 2025, compromising the data of nearly 140,000 patients, and posted Aspire’s data onto its dark web leak site.

Exposed information included SSNs, medical records, insurance, biometrics, and credentials. Aspire began notifications in August and is offering 12 months of Experian credit monitoring. Multiple law firms, including Morgan & Morgan, are investigating potential class-action lawsuits.