Dietitians using Outdated Software and Systems

Good question, and thanks for sparking the discussion! Here are a few recommendations tailored to a Canadian context, building on points already mentioned:

Risk Assessment & Vendor Transparency
As Matt noted, verify if vendors provide security details (independent audits, regular penetration tests, timely patch updates). For legacy systems, especially if support has ended, assess whether the risk is acceptable or if extra security controls are needed.
System Modernization & Interoperability
Evaluate if the outdated software integrates well with modern electronic health records (EHRs) and other systems. If not, consider upgrading to newer platforms that are fully supported, ensuring compliance with Canadian standards such as PIPEDA and any relevant provincial regulations (PHIPA in Ontario, etc.).
Enhanced Cybersecurity Controls for Legacy Systems
If replacing the outdated system isn’t immediately feasible, apply additional safeguards:
Limit network access to the system through segmentation.
Restrict unnecessary internet connectivity.
Use application whitelisting and other compensating controls to reduce risk.
User Training & Awareness
Ensure that dietitians and other staff are aware of the specific risks that come with using outdated software. Regular training on recognizing phishing attempts and other cyber threats is critical, particularly when using unsupported systems.
Regulatory & Compliance Considerations
Compliance with Canadian privacy laws, like PIPEDA, is key. Ensure that data managed by these systems is secured according to current standards and that your organization has a clear plan for managing legacy systems under Canadian cybersecurity guidelines.

Hi Marion,

When I ever encounter new software that I'm not familiar with, which is something security staff encounter as part of their work, then I approach the issue by learning as much about the software as possible. Questions I'm looking to answer is does the software vendor provide privacy and security details on their website, such as showing that independent audits are conducted, and if third-party pen tests would happen. I would also check to see if the software is being updated with patches to address vulnerabilities. If these things are not happening, then I would consider if the risk of using the software outweighs the benefits the app provides to the business.

Thank you for your reply Matt. Dietitians for the most part use similar technology to other healthcare staff. The Nutrition-Specific Software or tools designed for dietitians to assess, plan, and monitor patient nutrition is CBORD: A foodservice and nutrition management system used for meal planning and patient dietary needs, NutriCare: Software for creating and managing patient meal plans, PEN (Practice-based Evidence in Nutrition): An evidence-based resource for dietitians to guide clinical decisions. I have replied to Katherine regarding her follow up questions as well.

Thank you for your reply Katherine! What I mean by outdated is when a dietitian is running dietary management software on an unsupported operating system. And the legacy is when a dietitian in the hospital is using a decades-old system to manage patient meal plans and nutritional data.

As a cybersecurity professional, I'm not sure what software or devices are used by dietitians. Do they have tools that are unique to them in a hospital setting, or are using similar technology to other healthcare staff? Marion, you may want to research what tools dietitians use as a starting point, then look at Katherine's approach of researching what it means when systems are outdated or legacy.

Hi Marion,

What do you mean by "outdated"? Also, how would you define "legacy"? These are very important concepts for Health Systems Management and I am glad that you're exploring them!