Cybersecurity for legacy medical devices plays a crucial role in healthcare but to remove these devices may pose a greater risk to patient safety, clinical operations, and financial stability than to leave them in service. The challenging task of “securing” these legacy devices is paramount. It must be recognized that overall management of the risk is a joint responsibility throughout a device’s lifespan. Understanding the scope and financial aspects from both the Medical Device Manufacturers (MDMs) and Health Delivery Organizations (HDOs) perspectives is crucial for informed decision-making by both parties, particularly in ensuring the security of these legacy devices.
What is a Legacy medical device? A legacy medical device refers to those devices that cannot reasonably defend against current cybersecurity threats.
This category encompasses devices that exceed their declared end of support or end of life, often lacking the capacity to address contemporary cyber risks. Key words to consider are reasonably and current cybersecurity threats (i.e., not the cybersecurity threats when the device was initially released to market).
The Healthcare and Public Health Sector Coordinating Council (HSCC), and International Medical Device Regulators Forum (IMDRF) working groups have done valuable work in identifying the challenges posed by legacy medical devices and providing recommendations, frameworks, and processes to address them. Nonetheless, some challenges and gaps remain in implementing those recommendations: The FDA partnered with MITRE to produce the Next Steps toward Managing Legacy Medical Device Cybersecurity Risks white paper which focuses on near-term solutions, and providing advice on operationalizing key recommendations that attempt to address these challenges. Download the report: MITRE-PR-23-3695-Managing-Legacy-Medical-Device Cybersecurity-Risks
Recommendations from the report:
Developing Shared Responsibility over the Medical Device Lifecycle
1.Pilot data collection to support decision making for legacy device risk management Shared responsibility over the medical device lifecycle.
2.Develop information sharing agreement templates to increase transparency
3.Establish security architecture working group
4.Develop research program in modular design for medical devices
Vulnerability Management Study
5.Conduct study on vulnerability management coordination
Workforce development
6.Development of competency models for roles related to legacy cyber risk management
7.Identify resources for workforce development
Mutual Aid Partnerships
8.Participation in mutual aid partnerships
What is Threat Modeling? See our post: MITRE Threat Modeling Playbook