Management, compliance & auditing

Why your security risk management program should include legacy systems

Greg Belding
September 1, 2020 by
Greg Belding


The aim of business is to be profitable — and as we all know, investing in new systems, devices, and technology costs money that may otherwise be logged as profit. As a result of this, many organizations opt to keep their legacy systems around because they work and it would simply be too expensive to buy or source a replacement system that still is being supported and updated. But the unfortunate thing about legacy systems is that they pose a major security risk. 

This article will detail why your security risk management program should include legacy systems. We’ll explore a little about legacy systems, why you should take the potential security threat they pose seriously and how you can mold your organization’s security risk management program to include these long-in-the-tooth systems.

Legacy system definition

A legacy system is defined as a computer system that is old or outdated yet is still being used. They exist in many different industries and fields. For example, legacy systems in healthcare are being used more commonly than one may think, and this has created major security risks for this highly regulated industry that deals with sensitive patient information. What could go wrong with this picture? 

(Sarcasm aside, this is a glaring security concern. More on this later.)

Legacy systems are still around because they have to be

Legacy systems are still around because they have to be and are normally at the heart of an organization’s operations. Since legacy systems have a specific use of some kind, many organizations keep them around long past their end-of-life date to achieve their specific use when there is no suitable replacement system. Another reason why organizations keep legacy systems around is because of the risk of losing key data during migration to another system which could cripple an organization.

Despite these risks, the integral nature of legacy systems makes them seemingly irreplaceable for the organization.

The problem with legacy systems

Despite their operational value to organizations, a legacy system can pose a major security threat because they are outdated technology that is no longer updated, supported or maintained by their vendor or manufacturer. Information security professionals are well aware that updates, especially security updates, are vital for keeping systems secure. 

When systems do not get updated, attackers may home in on known vulnerabilities of these systems; and since they are no longer receiving updates, these vulnerabilities will not get fixed or patched. Not being supported means that you do not have anyone to call about this problem leaving organizations to fend for themselves. To make matters worse, legacy systems generally do not have adequate enough technical specifications to replicate the necessary features in replacement systems.

Organizations using legacy systems tend to give limited access to these systems and operate them with the phrase “out of sight, out of mind” being central. This almost perfect storm of security issues — no updates, no support and not being watched closely, has placed legacy systems and legacy software at the heart of security breaches.

Legacy systems in healthcare

Legacy systems are used throughout the healthcare field because they offer specific functionality and are often prohibitively expensive to replace. Billing and data archiving are some of the most commonly occurring uses of legacy systems in healthcare, which has proven to foster a “let your guard down” attitude concerning their security.

The healthcare industry has fallen victim to data breaches due to legacy systems; healthcare organization CIOs have cited this as a central cause of their security problems. Newer security threats, most notably ransomware, have proven challenging for the healthcare industry. 

One such incident was reported on June 8th, 2020 and impacted Rangley District Hospital (RDH) in Colorado. In this breach, the legacy system Meditech was impacted by ransomware, which prevented the viewing of sensitive patient information and files. RDH did not pay the ransom attackers demanded and recovered most of the files. However, it could not recover some of the files locked down by the ransomware.

Addressing legacy systems in your organization’s security risk management program

As explained above, legacy systems are a security risk for organizations for several reasons. The good thing is that legacy systems can and should be covered by your organization’s security risk management program, which may help you with replacing the systems. Implementing the following changes to your program will reduce the security risk of relying upon legacy systems:

  • Sometimes in-house developers can create their own patches for legacy systems. This is not too common but would help cover the system given a legacy system’s lack of updates. It should be noted, however, that they may introduce new security issues.
  • If this is not possible and the vendor does not offer extended support for an extra charge, segmentation is the best option for reducing a legacy system’s security risk. This allows for tight control of the data flow to the system.
  • Too often, those with knowledge of legacy systems are a sort of “chosen few” within an organization. Spreading this knowledge among as many organization employees as practical will minimize the effect of losing that lone legacy tech wizard that manages the legacy system.
  • Conduct regular security audits that cover the legacy system.


Legacy systems, operationally useful as they may be, may pose a significant security risk for an organization. Despite this, organizations keep legacy systems around for many reasons ranging from the inability to source a replacement system to the risk of key data loss during migration to a new system. 

Segregating legacy systems will help control the security risk involved with operating a legacy system. It’s the best option for those organizations that need to keep their legacy system around and want it to better fit with their security risk management program.



  1. A Tale of 2 Health Data Breaches: Persistent Challenges, Data Breach Today
  2. Legacy IT systems a significant security challenge, Computer Weekly
  3. What is a legacy system, and why do companies keep using them?, Freeport Metrics
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.