Why Do So Many Healthcare Organisations Run Legacy Systems?

As a leading managed service provider offering IT support for hospices and healthcare organisations, we often find ourselves working with legacy systems. As digital workloads expand and the threat of cyber attacks grows stronger every day, this is obviously a worrying situation. Here’s a look at why this is the case, and what the risks are. 

Why is the healthcare sector dependent on legacy systems?

Despite the clear cybersecurity risks, there are several reasons why outdated systems persist in the healthcare industry:

Medical equipment dependency

The healthcare industry has a lot of ageing medical equipment, such as MRI scanners, patient monitors and blood analysers that rely on software that’s no longer supported. Replacing or upgrading these machines is often not a priority due to budget and time restraints, especially if they still function reliably. 

The need for uninterrupted care

Downtime is particularly challenging for the healthcare sector, because managing the disruption when services are required round the clock, and may have unpredictable peaks in demand, is obviously difficult.  Hospitals, hospices and clinics are patient-first environments, so IT upgrades are not high on the list of priorities. 

Budget constraints

The NHS is battling with overstretched budgets and rising demand, and financial resources tend to be directed at frontline care. Investment in IT systems tends to occur reactively after a major incident or security breach. 

That said, in June, the government announced as part of its Spending Review that it will be investing up to £10bn in NHS technology and digital transformation, “to bring our analogue health system into the digital age”. It will also include the launch of an NHS app to enable patients to manage their prescriptions, access services and more.

Furthermore, the investment will also be used to deliver “a single patient record, giving patients a unified view of their medical history and enabling two-way communication and active management of their healthcare”. Hopefully the investment will also address issues such as obsolete software and security vulnerabilities. 

Underresourced IT teams

Despite the fact that technology now underpins the modern healthcare service, IT teams are often understaffed and underresourced. This means that they often operate at a firefighting level, and routine but essential tasks such as security patching and risk management assessments are continually sidelined.

Furthermore, the NHS is a huge organisation, and there is considerable fragmentation of IT systems between different departments, specialisms and institutions. This means that IT teams often can’t work easily and securely across multiple sites, and clinical staff have to resort to analogue methods of transferring essential patient information. 

What are the dangers of legacy systems?

Running legacy systems doesn’t just mean putting up with sluggishness and inefficiencies: it leaves IT infrastructure dangerously exposed.

Unpatched vulnerabilities

Older software that no longer supports security updates are increasingly open to cyberattacks. Healthcare organisations are frequently targeted by cybercriminals, because of the huge amounts of sensitive information they hold. They are also viewed as more likely to pay ransom demands because of the intense pressure to keep systems running. 

For example, the 2017 WannaCry ransomware attack exploited a flaw in unpatched versions of Windows. It cost the NHS about £100m and led to thousands of cancelled appointments. 

Even if legacy systems are routinely patched, most cannot support the latest and most advanced security tools that are designed to offer full endpoint protection and proactively monitor for threats. 

Weak access control and encryption

Many older systems rely on passwords for login, which is becoming an increasingly outdated protection. Obsolete software typically cannot support multi-factor authentication or other modern methods of access control, leaving them more vulnerable to security breaches.  

Furthermore, it may not support current encryption protocols, leaving patient data or confidential communications vulnerable to hackers. 

How healthcare organisations can manage IT risks

Legacy systems compromise patient safety and can even put lives at risk. Security breaches damage reputation and patient trust, and also pose legal and financial risks if GDPR is breached. It is unrealistic that all legacy systems can be replaced overnight, or even within 12 months. However, there are sensible precautions that can be taken.

These include planning for Windows 10 end of life on 14 October 2025, when Microsoft will stop providing technical support or issuing security updates. Audits should be carried out to identify the most vulnerable systems and isolate them from wider networks. Systems that can’t be upgraded should be strictly access controlled for essential staff use only.