Legacy Medical Devices: Are Older Devices More Vulnerable?

Connected medical devices are increasingly vulnerable to cybersecurity risks. The increased connectivity of medical devices, though beneficial, exposes medical device manufacturers, healthcare providers and patients to cybersecurity risks. 

Over the next decade, the number of global connected medical devices could exceed over 50 billion, according to IBM. Everything from defibrillators, pacemakers, insulin pumps and other devices are now connected to wireless networks and are open to cyber attacks. This puts healthcare providers and the lives of patients at serious risk, with one of the greatest threats being unavailability of medical devices. 

During the COVID-19 pandemic, ransomware and other cyberattacks on healthcare organizations have spiked. There have been a number of heavily publicised events in the US. In July, DuPage Medical Group, an Illinois-based physician group notified 600,000 patients that their personal health information was exposed when the computer network was hacked. There were also attacks on Atlanta Allergy & Asthma, University Medical Center in Las Vegas (where over 1.3 million people were affected), and the University of New Mexico Health (where 637,252 patients were affected). According to the Wall Street Journal, one cyber criminal group known as Ryuk has hit at least 235 US healthcare facilities since 2018, taking in more than $100 million from ransomware attacks.

In Europe, the HSE (the public healthcare system in Ireland) was impacted by a human-operated ‘Conti’ ransomware attack. This severely disabled a number of HSE systems and necessitated the shutdown of the majority of its other systems. 

All of these attacks have created an extremely volatile environment for medical device manufacturers and healthcare providers. Strengthening medical device cybersecurity has never been a more urgent priority.

Protecting Older Legacy Medical Devices Against New Cyber Threats

One of the biggest cybersecurity challenges for healthcare organizations comes in defending older legacy medical devices against new cyber threats

Many devices in operation today were not conceived with cybersecurity in mind. They were built using outdated or insecure software, hardware and protocols. To make matters even more precarious, many legacy devices are still using operating systems such as Windows XP that Microsoft no longer supports with security patches and updates. This leaves healthcare organizations incredibly vulnerable to cyber attacks.

At-risk legacy devices are low-hanging fruit for cybercriminals who use them as access points into hospital networks. These devices, which cannot be easily patched, create a gaping hole in the healthcare system.

FDA’s Steps to Protect Legacy Devices 

Such was the need to reinforce cybersecurity protection in the healthcare industry that the FDA created a new leadership position in early 2021 at its Center for Devices and Radiological Health for overseeing medical device security. Kevin Fu, a University of Michigan associate professor and longtime security advocate, was elected as acting director of medical device cybersecurity at CDRH on a one year term. 

Speaking to MedTech Dive, Fu identified outdated legacy devices as one of the top medical device cyber risks.  

The greatest cybersecurity risk today is unavailability, because a medical device unavailable to deliver patient care is not safe and effective. Long-term risks also include legacy outdated software that is difficult to keep secure and the need for thoughtful threat models during the early design of medical devices.”

Fu went on to say that, in order to protect outdated legacy devices, the FDA is seeking the following requirements. 

FDA seeks to require that devices have the capability to be updated and patched in a timely manner; that premarket submissions to FDA include evidence demonstrating the capability from a design and architecture perspective for device updating and patching; a phased-in approach to a Cybersecurity Bill of Materials (CBOM), a list that includes but is not limited to commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities; and that device firms publicly disclose when they learn of a cybersecurity vulnerability so users know when a device they use may be vulnerable and to provide direction to customers to reduce their risk. The proposal also seeks to improve proactive responses to cybersecurity vulnerabilities.”

Bringing Medical Devices Up to Speed With Cybersecurity 

Over the last year, representatives within The Healthcare and Public Health Sector Coordinating Council (HSCC) Legacy Task Group have been working together to develop recommendations, suggestions, and best practices on how to bring legacy devices up to speed with cybersecurity.

This task group includes members of the FDA as well as representatives from health delivery organizations and medical device manufacturers.  

Cybersecurity of legacy devices is also a major part of new, international guidance in the International Medical Device Regulators Forum (IMDRF). This means that MedTech companies will soon find that cybersecurity for legacy devices is required across major world markets. 

At an organisational level, what can be done to protect vulnerable legacy devices? A good first step is reaching out to Nova Leah to see how you can bring your medical devices up to speed with the latest cybersecurity measures. Nova Leah is a world leader in centralized risk management systems. Our solutions, designed by industry experts, provide complete oversight of medical device vulnerabilities and threats, and automate the management and mitigation of risk. Maintaining a strong cybersecurity posture across your entire product portfolio is easy with our fully compliant risk management systems.

Contact us Today.