search
Highlights
    Home  // . //  Oliver Wyman Health //  Your Hospital’s Tech Debt Is A Silent Patient Safety Crisis

    Your Hospital’s Tech Debt Is A Silent Patient Safety Crisis

    Image

    Outdated IT assets aren’t just a cybersecurity vulnerability or operational drag; they’re an increasing risk to care delivery. Here’s what to do about it.

    Adam Harpool, Nikhil Sarathi, Eric Lu, and Paul Mee

    4 min read

    Table of Contents

    The ongoing dynamic pursuit of innovation in healthcare, involving rapid deployment of the latest and greatest piece of technology, is distracting from a major problem lurking beneath the surface — the use of IT systems that are at or past their end of life.

    Our work across several regional health systems revealed that over 30% of information technology assets on average are past end of life — including critical clinical systems and biomedical devices. This includes unsupported operating systems, aging servers with no patch pathway, and diagnostic tools that cannot integrate with current electronic health record (EHR) capabilities. Our experience is by no means atypical — 96% of hospitals reported running end-of-life operating systems or software with known vulnerabilities, according to a 2023 Department of Health and Human Services report.

    The conversation around tech debt and outdated tech typically centers on cybersecurity risk or operational inefficiency. Those concerns are valid, but this isn’t just a technology problem; there are also potential consequences for patient care and patient safety. Taking a more comprehensive view of the situation and associated risks enables leaders to prioritize capital investments with a sharp focus on their responsibilities for patient wellbeing.

    Tech debt creates patient safety risks

    Hospitals face an unforgiving environment of razor-thin margins, labor shortages, supply chain risk, rising acuity, and uncertainty around federal funding. However, deprioritizing the need to address outdated technology — kicking the can down the road — fuels risks that may endanger patient safety. Consider these factors:

    Cybersecurity exposure: Unsupported legacy operating systems, not originally designed to be resilient to modern threats, make hospitals prime targets for cyber criminals. Hidden deep in a typical healthcare organization is unsupported software (41%) or an unsupported Windows operating system (36%), according to the Cybersecurity and Infrastructure Security Agency. Medical devices running outdated, proprietary operating systems create vulnerabilities because of security patch limitations; in certain cases, devices have no ready means for their software to be updated. Cyberattacks may jeopardize patient safety by various means: cutting off access to EHRs, losing control of connected medical devices, and more.

    Operational disruption: Outdated medical devices are more prone to glitches, downtime, and outright failure. This phenomenon, combined with poor to nonexistent EHR interfacing, represents a recipe for diagnostic delays, handoff errors, data integrity issues, or worse. For instance, when lab interfaces fail due to outdated middleware, test results can be delayed or misrouted. Even minor interruptions in EHR connectivity can lead to a measurable increase in diagnostic delays for critical lab values, according to a JAMA study.

    Clinician burnout: Tech debt can force clinicians to regularly deploy time-consuming workarounds. Systems that are sluggish and unresponsive, or that regularly crash, exacerbate their frustration and erode overall confidence in IT’s ability to deliver. Physicians have cited friction with technology as a major cause of burnout. In healthcare, technology should be an enabler. Instead, too often it’s become a barrier.

    Tech debt is an enterprise issue, not just an IT problem

    Because tech debt is a patient safety risk, it must be considered an enterprise leadership responsibility. Treating it as solely an IT issue misses the mark. The technology systems in question are deeply woven into clinical operations, revenue integrity, and care delivery itself. Just as capital is allocated to meet clinical priorities, investment in modernizing foundational platforms must be treated as a strategic imperative. Otherwise, outdated systems may silently erode care quality, response times, and patient trust.

    We’ve identified four tactics leaders can adopt to start down the road of closing their organization’s tech debt:

    Map risk exposure: Start with an inventory — not just of hardware and software, but of risk. Which systems are unsupported? Which ones touch patient care directly? Be sure to capture shadow IT, which is hardware or software that a department or individual uses without the IT department’s approval. Shadow IT can lead to significant vulnerabilities.

    Apply a fix, replace, and retire framework: Some systems can be patched and extended with the right vendor support. Others may be candidates for full replacement or retirement. Build a matrix that categorizes assets based on clinical impact, risk, and cost to upgrade.

    Get buy-in beyond IT: Engage clinical leaders, compliance teams, risk management, and finance. Everyone needs to understand that tech debt is a shared operational and clinical risk. Getting that buy-in will result in stronger alignment and faster action.

    Embed tech debt into capital planning: Instead of treating IT upgrades as discretionary expenses that must be re-justified annually, position them as strategic risk mitigations and patient safety investments — no different from physical infrastructure or clinical equipment. Yes, capital is constrained. Yes, towers are aging, labor costs surging, and margins are tight. But that is precisely why health systems can’t afford to invest reactively here: modernizing core tech systems enables safe, scalable, and resilient operations, so that every other investment can deliver on its promise. Addressing tech debt must figure into mid- and long-term capital planning proposals with the same seriousness afforded to other mission-critical investments.

    The Hospital of the Future can’t run on aged infrastructure

    Hospitals need new governance models and financial tools to deal with aging infrastructure systematically. Some leading health systems are starting to adopt multi-year capital refresh strategies, with dedicated tech debt budgets and cross-functional steering committees. These systems recognize that the longer tech debt accumulates, the harder it becomes to fix, and the more potentially dangerous it becomes.

    It’s time for more organizations to follow suit. The cost of inaction is not just the risk of downtime or data loss — it’s the risk of compromised care.

    Authors
    • Adam Harpool,
    • Nikhil Sarathi,
    • Eric Lu, and
    • Paul Mee

    Infographic: The Digital Health Revolution in Dollars & Cents

    If people listen to healthcare companies like they do online retailers, up to $530B in annual health spending could be cut. Here's how.

    New Front Door to Healthcare: Retailers Take Starting-Point Advantage

    With their existing customer base, brand loyalty, physical footprint, and health resources, retailers will play a significant role in offering consumers alternative sites of care.

    Updated: OWHIC Pins Down Healthcare With 60+ Infographics

    Download and share more than 60 charts, infographics, and reports on healthcare business topics including care model design, the Southeast Asia market, governance, home and community-based services, ACO growth, Health Market 2.0, and more.

    The Upside of MACRA: Closing “Dark Spaces” in Healthcare

    CareSync CEO Travis Bond on how new technologies and regulations are helping to eliminate “dark spaces” in healthcare and create a more consumer-centric experience.