Legacy devices are vulnerable to cybersecurity attacks due to no longer being supported or updated by the manufacturer

Protecting legacy devices against cyberthreats

October 13, 2021
by John R. Fischer, Senior Reporter
A total of 239.4 million cyberattacks were attempted on healthcare institutions in 2020, according to security provider VMware. That research also found an average of 816 attempted attacks per endpoint — a 9,851% increase over 2019.

All of this has forced providers and their HTM teams to think seriously about unauthorized access to their most vulnerable systems. One specific type is legacy devices, which are no longer supported, serviced or patched by the manufacturer.

“It’s very hard to justify from an organizational perspective getting rid of something even if it still works just because it’s no longer supported,” said Samantha Jacques, VP of clinical engineering at McLaren Health Care, during a session at the virtual 2021 AAMI eXchange. “The problem with that is that we run into cybersecurity issues. Any device that isn’t being updated with patches is a target and has the opportunity to become a vector for cyber issues.”

The session, titled “Securing Legacy Devices — Healthcare Sector Coordinating Council Guidance,” was co-hosted by Jacques and Mike Powers, clinical engineering director for Intermountain Healthcare.

The two encouraged clinical engineering teams to take an active role in cybersecurity, as they often have a better understanding of security and FDA requirements and life cycle of devices than clinicians and IT departments. They also know how, when, and why to update equipment. Tackling this issue, according to Jacques, requires working with the finance department to understand the cost impact on organizations when an issue arises. The cybersecurity team should be supported, as it creates a more proactive method for addressing vulnerabilities before a breach takes place.

One way of doing this is by scanning legacy devices in the provider network, though the tools for doing so can be costly. There are also ways to set up networks in V LAN and other configurations to reduce present vulnerabilities.

A number of resources are available to providers, such as the Joint Security Plan, a very high-level document that discusses how they can keep their entire networks secure and includes a section for medical devices. The Joint Security Plan was developed by the Healthcare Sector Coordinating Council (HSCC), an advisory council of volunteers from healthcare delivery organizations and medical device manufacturers working to identify and mitigate cybersecurity threats that hinder delivery of healthcare services in the U.S.

One component of the HSCC is the Cybersecurity Working Group, which is divided into 16 smaller groups that together represent 300 healthcare organizations in different medical subsectors. One of those groups aims to address the question of how to better protect older equipment with antiquated software.

That group is called the Med-Tech Legacy Devices Task Group, and Powers is a part of it. The challenge, he says, involves figuring out what to do with current devices and how to build them better moving forward. “We’ve divided our efforts into current and future states in terms of how we deal with devices in your hospital today and how we design better stuff so in the future they don’t become legacy so fast.”

He adds that task groups need more participation from providers and clinical engineers to help develop write-out standards around cybersecurity. “It can’t be the same ten people that always volunteer and help out and need their own biases and perspectives. We need your help.”

One factor that can create tensions for device security is access to service manuals for systems. Some manufacturers will prevent the sharing of these documents with non-OEM servicers in the interest of protecting trade secrets or limiting who can service the technology. Recently, however, the FDA has stated that it does not consider the sharing of these documents to have a negative impact on cybersecurity.

The perspective was put forth as part of a little-known rule-making proceeding underway at the U.S. Copyright Office, which could exempt medical device manuals from copyright protections. If this were to happen, HTM departments might have greater access to manuals and perhaps a better vantage point to oversee the cybersecurity of the devices at their hospital.

As it is clear that cyberattacks on healthcare providers are a threat that is growing exponentially, it’s critical for service engineers to be aware of the risks posed by legacy equipment and use every tool in their kit to mitigate them.