How legacy VB6 systems are endangering healthcare providers

Abto Software
4 min readMay 7, 2024

This post is a quick overview of an Abto Software blog article.

In the healthcare landscape, it is becoming common to retain legacy applications, in particular VB6 programs, as these comprise information to preserve mission-critical functionality:

  • In the healthcare segment, patient safety is the foremost priority — software upgrades and migration might disrupt everyday operations
  • In modern healthcare dynamics, the resources are often very limited — systems upgrade and migration, which require sensible investment
  • Software upgrades can introduce interoperability issues
  • System migration might necessitate the replacement of integrated medical devices

With today’s omnipresent digitalization, healthcare software is implemented to manage sensitive information. Full names, home addresses, health records, insurance information, as well as other identifiable information — all very valuable resources for criminals.

In this short overview that duplicates our original blog article, we talk about the most prominent data breaches and how Visual Basic 6 systems are presenting security vulnerabilities.

The biggest data breaches in 2024

In the table below, we listed the largest data breaches healthcare providers and associates fell victim in 2024:

  • Otolaryngology Associates, LLC — IN, 316802 individuals affected
  • Family Health Center — MI, 33240 individuals affected
  • Designed Receivable Solutions, Inc. — CA, 129584 individuals affected
  • Emergency Medical Services Authority — OK, 611743 individuals affected
  • M&D Capital Premier Billing, LLC — NY, 284326 individuals affected
  • Pomona Valley Hospital Medical Center — CA, 13345 individuals affected
  • Ezras Choilim Health Center, Inc. — NY, 59861 individuals affected
  • Valley Oaks Health — IN, 50034 individuals affected
  • Weirton Medical Center — WV, 26793 individuals affected
  • Eastern Radiologists, Inc — NC, 886746 individuals affected

The biggest data breaches in the last decade

And now, let’s discuss the biggest data breaches in the United States health sector in the last decade:

Tricare

September 2011, 5 million patients affected

Tricare, a healthcare program for active-duty military personnel, was affected after facing a major data breach. The backups of electronic health records of patients were stolen while transported between facilities.

In the Tricare breach, the following data got potentially compromised:

  • Full names
  • Home addresses
  • Phone numbers
  • Health records
  • Clinical notes
  • Lab tests
  • Prescription information
  • And social security numbers

Community Health Systems

April-June 2014, 4.5 million patients affected

Suspected cybercriminals, being believed to be primarily based in China, have deployed sophisticated malware. The cyberattack impacted individuals receiving services at the network’s facilities over approximately the past five years.

In the Community Health Systems breach, the following data got potentially compromised:

  • Full names
  • Home addresses
  • Phone numbers
  • And social security numbers

UCLA

July 2015, 4.5 million patients affected

In 2014, UCLA experienced a significant data breach, but its malicious potential hasn’t been confirmed timely. In 2015, a subsequent security incident was confirmed and resulted in millions of sensitive patient records being compromised.

The compromised data included:

  • Full names
  • Birth dates
  • Medical information
  • Medicaid details
  • Health plan identification numbers
  • And social security numbers

Advocate Health Care

August 2013, 4.03 million patients affected

Advocate Health Care experienced a major data breach, which involved the theft of four personal computers. These computers were utilized to store and manage unencrypted information of millions of patients.

The compromised data included:

  • Full names
  • Home addresses
  • Demographic information
  • Clinical information
  • Insurance information
  • Credit cards with their expiration dates

Maintaining legacy VB6 solutions

Unavailable updates and patches

Since 2008, Microsoft hasn’t provided support, including updates and patches, leaving systems very vulnerable. That means, VB6 software is exposed to exploits targeting known security vulnerabilities.

Troublesome integration

Legacy software might need additional adaptations to ensure smooth integration with more modern systems. That might force decision-makers to resort to makeshift existing systems to eliminate new vulnerabilities.

Weak encryption and doubtful data storage

VB6 applications are typically lacking modern encryption standards and implementing outdated algorithms. That poses security risks to managed sensitive information, which comprises personal details, health records, and other relevant information.

Inadequate logging and monitoring

VB6 applications can’t provide comprehensive logging and monitoring, which complicates security practices. That makes it difficult to detect and mitigate security incidents, including credential stuffing attacks, unauthorized access, and more.

Replacing legacy VB6 systems

User authentication and authorization

Modern technologies are providing various mechanisms that enable secure authentication and authorization. These range from both two-factor and multi-factor authentication to more complex mechanisms.

Data encryption

What’s more, advanced technologies, in particular the modern .NET framework, also enable secure encryption. This means, data transferred from system to system is protected from several different threats.

Secure coding practices

These platforms also encourage integrating secure coding practices and modern-day design methodologies. These minimize the introduction of numerous security vulnerabilities — SQL injections, cross-site scripting, buffer overflows, and others.

Role-based access control

Newer technologies support role-based access control to define and enforce better tailored access policies. This way, they eliminate privilege escalation, compliance violations, and other security issues.

How we can help

Abto Software is assisting business leaders successfully replace legacy applications by handling VB6 migration. Our engineers cover everything from discovery to investigation, planning, conversion, and maintenance.

VB6 to .NET migration, VB6 to C# migration, application re-engineering and re-architecting, data migration — we cover it all.

--

--

Abto Software

We empower customers business with innovative software by applying science, R&D, and own IP at abtosoftware.com