Guidance

This is best practice guidance

Although not legally required, it's an essential activity.

This Guide covers:

- Great Britain (England, Scotland, Wales)

From:

- Medicines and Healthcare products Regulatory Agency (MHRA)

Page last reviewed: 13 Jan 2023

Planning for managing legacy systems and decommissioning digital healthcare technologies

It is important to plan for managing legacy systems and decommissioning before deploying a digital healthcare technology. Adopters should do this planning during procurement, in liaison with the developer or vendor.

What are legacy systems?

A legacy system is an outdated or unsupported technology that is still in use. It relates to digital technologies that are one or more of the following:

  • considered an end-of-life technology
  • out of support from the supplier
  • impossible to update
  • no longer cost effective
  • considered above the acceptable risk threshold

Managing legacy systems

There are risks inherent in retaining legacy systems, for example:

  • the digital technology may become less reliable
  • it may be difficult to know what data is held within the technology and how to migrate it

If the technology is no longer supported by the developer, the post-market surveillance function will stop. So, the technology will not be updated to solve bugs or respond to any changes in input data and target population. This will affect its ongoing performance and reliability and potentially impact negatively on patients or service users. This is a particular consideration for data-driven technologies because of the potential for drift, so performance does not stay the same over time. Retaining an unsupported technology can expose systems to other vulnerabilities including cyber attacks. Once there is no identified developer, adopters may be taking on the liabilities for the use of the digital technology.

The management of legacy systems depends on your organisations overarching IT strategy. However, there may be a point when you need to decommission a digital technology and manage migration to newer technologies.

Decommissioning a digital healthcare technology

Digital technologies may need decommissioning because of increased risks associated with a legacy system, or because of organisational or system changes.

Decommissioning a digital technology carries risks that need to be considered and addressed before the decommissioning happens. Digital technologies may hold data that will need to be extracted into a secure environment or securely migrated to a newer system. The process of decommissioning may cost time and money, and needs appropriate staffing to manage the process. So, the decision to decommission needs to consider whether the risks associated with retaining a legacy system outweigh the risks of decommissioning and migrating data.

Planning ahead during procurement

During procurement, you need to agree considerations and processes for the end-of-date of the digital technology (if known) and decommissioning. The developer should provide the information you need. If you are in England and Wales your organisation will assess this information using section 7.4 of standard DCB0160, specifically:

  • considering the requirement for a clinical risk management process for technology decommissioning
  • taking into account the succeeding technology
  • addressing migration of data, and
  • issuing a clinical safety case report to support decommissioning

The UK government’s guidance on managing legacy systems has 7 key principles for you to consider:

  • Aim to use continuous improvement planning to keep your technology up to date
  • Build a complete and accurate register of your data assets
  • Know the full extent of your systems and infrastructure
  • Build the skills and capabilities of your IT team
  • Have a flexible and responsive service model which can adapt to changing technology
  • Consider the organisation’s business needs, processes and culture
  • Use the Technology Code of Practice as a basis for your decisions

For more information on each principle and the processes to consider, see the government’s guidance on managing legacy systems.

You may need to consider other standards and processes when addressing data migration issues. For more information on data migration, see the data management guide for adopters.

Is there anything wrong with this page? Let us know