The Food and Drug Administration (FDA) has recently implemented comprehensive regulations aimed at enhancing the cybersecurity of medical devices, amidst ongoing cyber threats targeting hospitals. Despite these efforts, a significant challenge persists with legacy medical devices that use outdated software, creating vulnerabilities within hospital networks. These devices, although not usually the direct targets of cyberattacks, can be compromised during broader network breaches, potentially requiring shutdowns and posing risks to patient safety.
John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk, highlighted the ongoing struggle between securing these devices, economic considerations of maintaining older equipment, and the imperative of patient care in emergency situations. The FDA’s Center for Devices and Radiological Health introduced stringent cybersecurity standards in 2023 to ensure medical devices are secure before and after entering the market, marking a significant shift towards prioritizing cybersecurity in healthcare.
However, addressing the issue of legacy devices remains complex. Nastassia Tamari, director of the CDRH’s Division of Medical Device Cybersecurity, revealed that the exact number of these outdated devices in hospitals is unknown due to lack of reliable data, making it one of the industry’s most pressing problems. Hospitals face practical and financial constraints in replacing these essential but unsupported machines.
To manage risks posed by legacy devices, cybersecurity experts propose a multi-step approach. The first step involves identifying all devices connected to a hospital’s network, a task complicated by the sheer volume and variety of connected equipment. Once identified, these devices need continuous monitoring to detect new threats, required updates, or patches.
Understanding the vulnerabilities specific to each device is crucial. Some devices might need immediate software updates or patches, while others, already outdated, lack available security improvements. Tools like a software bill of materials (SBOM) can aid hospitals in understanding which components make up a device and what vulnerabilities might be present, serving as an essential inventory provided by manufacturers.
The FDA has mandated manufacturers to provide SBOMs, enhancing transparency and security practices, though it remains a challenge to ensure these devices are initially designed with optimal security features.
Once vulnerabilities are assessed, network segmentation can be employed to isolate at-risk devices, preventing potential cyber threats from spreading throughout a hospital’s network. This strategic isolation helps in managing devices that cannot be updated or patched. In scenarios where segmentation isn’t enough, devices might be air-gapped to completely disconnect them from vulnerable networks.
In extreme cases where devices pose too high a risk, they may need to be shut down entirely, a last-resort measure considering the essential nature of many medical devices in patient care. This necessitates hospitals to plan for patient care continuity without the affected technology, often involving coordination with other facilities and detailed communication with device manufacturers.
Despite the new regulations and continuous efforts by various stakeholders including hospitals, device manufacturers, and regulators, the challenge of securing legacy medical devices within an ever-evolving technological landscape remains daunting. Stricter governance and innovative cybersecurity measures are anticipated, but there is an acceptance that completely resolving these issues may span generations due to the longevity and crucial nature of existing medical technologies in healthcare settings.
#steps #minimize #threat #legacy #medical #devices
