ipopba - stock.adobe.com

HSCC Publishes Guidance On Managing Legacy Medical Tech Security

The guidance positions medical technology security as a shared responsibility, encouraging medical device manufacturers and healthcare organizations to work together to reduce risks associated with legacy tech.

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) released its “Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS)” guidance, aimed at helping medical device manufacturers (MDMs) and healthcare organizations manage legacy medical technology security risks.

The guidance can be leveraged by MDMs, healthcare organizations, and other technology providers to establish a shared responsibility for the security of legacy tech. As previously reported, unpatched and legacy medical devices can pose security risks to healthcare organizations.

In September 2022, the Federal Bureau of Investigation (FBI) released a notice highlighting the recent uptick in known medical device vulnerabilities. If exploited, threat actors can leverage outdated software and poor security features within medical devices to execute cyberattacks.

HSCC noted that legacy devices are only a portion of the technologies within healthcare environments that can pose risks when they become outdated. Other technologies beyond devices must be included in the conversation.

“To fully manage cyber risk in a modern healthcare environment, HDOs must consider FDA regulated devices, non-FDA regulated devices, laboratory equipment, building and facilities technologies, mortuary equipment, general information technologies, and many more,” the document noted.

“And because these technologies also age, becoming more vulnerable and/or unsupported, the same legacy pressures traditionally identified as affecting medical devices also affect these other technologies.”

The guidance contains four “core pillars” that the HSSC CWG identified as the key elements of a legacy technology cyber risk management program: governance, communications, cyber risk management, and future proofing.

Through these core pillars, MDMs and healthcare organizations are encouraged to discuss the ways in which they can manage cyber risk in the present and the future. For example, the future proofing section raises important considerations about developing and designing devices and technology in a way that minimizes future legacy pressures.

The document also contains useful deep-dives into key risk management and mitigation tactics, such as patching and software bills of materials (SBOMs).

“Management of legacy technologies in healthcare is a multi-faceted challenge. Although the functional or maintenance obsolescence, or even technology safety risks as a result of technology end-of-support, are not new problems, and have occurred and will continue occurring in non-cybersecurity settings, the inclusion of cybersecurity considerations heightens the frequency of such events and increases the urgency of addressing them,” the document states.

“And although managing the cybersecurity of technologies is a recognized practice, a technology's legacy status requires additional considerations and often a unique and different approach.”

Next Steps

Dig Deeper on Cybersecurity strategies