Given the increasing threat of cyberattacks on the healthcare industry, both government agencies and private businesses have a vested interest in better protection from malicious actors. The threat has become so severe that in 2022, Congress tasked the FDA with assessing the cybersecurity strengths and weaknesses of medical devices.
The FDA would later deliver its report in September of 2023. However, the report focused primarily on modern medical devices and failed to address the issue of legacy devices, which are still widely used at hospitals and clinics across the country. To cover this oversight, the FDA contracted the nonprofit corporation MITRE to interview healthcare groups, technology manufacturers, and cybersecurity experts.
From these interviews and discussions, MITRE developed a list of eight recommendations for countering the cybersecurity risk posed by legacy devices. Today, we'll review those eight recommendations and how healthcare groups can implement them.
Collect More Data for Better Decision Making
Both healthcare groups and medical device manufacturers lack the quantitative and qualitative data necessary for making informed decisions. This data is needed to determine whether replacing legacy devices is more expensive than continuing to use them and to figure out other factors like the effective lifespan of a device, the costs of maintaining a device versus replacing it, etc.
Develop Information Sharing Agreements for Better Transparency
Information sharing agreements (ISAs) are typically included in other deals, such as non-disclosure agreements, business associate agreements, and more. However, these ISAs are typically written and developed uniquely as per the larger deal they're attached to. A general ISA template can help streamline the information-sharing process between end-users and manufacturers and integrate features like expectations for security controls, device access credentials, and vendor support throughout the product's lifecycle.
Establish Security Architecture Working Groups
There needs to be more visibility on both sides of the end-user/manufacturer paradigm and their respective security networks. Medical device manufacturers do not fully understand how their devices are integrated into a wider network by healthcare groups, and healthcare groups do not fully understand how manufacturers design the security architecture for their products. This is because both sides fear exposing sensitive information to malicious actors or losing intellectual property.
However, this fear also keeps healthcare groups and manufacturers from collaborating effectively, such as identifying security controls that can be used within both devices and a group's network or developing a standardized way of describing controls, components, and information flows.
Embrace Modular Design for Medical Devices
Embracing modular design on both a software and hardware level allows legacy components of both types to be more easily replaced while keeping components that are still functional. For example, an anesthesia machine with an integrated medical computer used to control its functions could replace the computer while keeping the machinery intact.
Conduct Studies on Vulnerability Management Coordination
Current vulnerability management processes are extremely resource-intensive and time-consuming, as they are conducted individually without input from other healthcare groups or device manufacturers. One suggestion MITRE makes is a centralized or federalized repository for vulnerabilities and patch notifications. This would allow stakeholders in the industry to share information and coordinate efforts more efficiently.
Develop Competency Models for Roles Related to Legacy Device Risks
The sad truth is that in any security system, the human element is the weakest part. Healthcare groups and manufacturers need to develop competency models that train workers to protect themselves and their legacy medical devices from cybersecurity threats. Even something as simple as recognizing phishing attempts can negate the vast majority of cyberattacks.
Identify Resources for Workforce Training and Development
Healthcare groups with fewer resources need greater support for workforce training if they are to protect their legacy medical devices. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Virtual Training Environment both offer cybersecurity training services that are free and available to the public. Therefore, supporting and funding these agencies is in everybody's best interest.
Participate in Mutual Aid Partnerships
Stakeholders in the healthcare industry are already familiar with ad-hoc relationships, official partnerships, and government cooperation agreements. Leveraging these relationships for technical assistance, knowledge sharing, and cross-training on cybersecurity can only benefit all parties involved.
Closing Thoughts
With the threat of cyberattacks growing more pressing by the day, healthcare stakeholders must respond. If they cannot replace legacy devices currently in use, then they can at least shore up the defenses around those devices, whether that means better training, better technical support, or better partnerships with other stakeholders.
If your healthcare group needs a partner that specializes in supporting legacy devices, contact the team at Cybernet Manufacturing. We offer medical tablets and computers that are compatible with legacy devices and boast full suites of cybersecurity features, such as Imprivata encryption and RFID scanners to prevent unauthorized access.
Join the conversation and connect with us on this and other relevant topics - Follow us on Facebook, Twitter, and LinkedIn.