Healthcare organizations spend enormous resources protecting their most active systems. But what about the data quietly accumulating in legacy platforms no one has touched in years?
Consider this:
- 73% of healthcare providers are still running legacy operating systems (surprisingly common is Windows 7, which no longer receives Microsoft security updates).
- Legacy systems are cited as the initial access point in 24% of severe security incidents.
- Healthcare organizations using legacy technology are three times more likely to suffer a major breach, with those breaches costing 28% more on average than incidents involving modern infrastructure.
This is what we define as impact radius – the full extent of damage a single security breach could cause to an organization. Impact radius includes direct and indirect impacts, including operational disruption, regulatory exposure, financial fallout, and legal liability that ripple outward from a breach. And in healthcare, where legacy systems are everywhere, impact radius can be staggeringly large.
In May 2021, a ransomware attack on a multi-hospital health system disrupted operations across five facilities, forced emergency diversions, triggered widespread appointment cancellations, and ultimately affected more than 147,000 individuals through confirmed data exfiltration. The financial damage exceeded $112 million. At least four class action lawsuits followed. The root cause? Outdated Windows systems running on an unsegmented network, without modern endpoint detection.
The solution is bigger than system upgrades. Legacy data and legacy infrastructure compound each other’s risk. Decades of patient data living on unsupported platforms builds exposure every single day. When a breach occurs, every record on every legacy system becomes part of the blast zone.
Reducing your impact radius starts with an honest accounting of what you have and where it lives. In our next post in this series, we’ll look at how GRC and resiliency frameworks provide the structure to act on that inventory.