By Robert Kerwin
In April, the FBI reported a global increase in malicious cyberactivity targeting U.S. Healthcare providers, noting that the cyberactivity was exploiting fear derived from the COVID-19 pandemic, including targeted phishing attempts with subject lines and content related to COVID-19. This increase in cyberactivity is part of a general rise in cyber threats and data breaches as reported by HHS’s Civil Rights Division. In light of the increased incidence of healthcare cybersecurity issues, it is heartening to know that efforts are ongoing to protect medical devices.
A public-private partnership of companies, nonprofits and industry associations known as the Healthcare & Public Health Sector Coordinating Councils (HSCC) has formed a Legacy Medical Device Task Group to develop planning guidance to mitigate cyber and physical risks. HSCC is pursuing this initiative in the wake of the Cybersecurity Act of 2015 and presidential executive order [PPD-21], which directed the secretary of Homeland Security, among others, to undertake public-private engagements with critical infrastructure sectors to identify cyber and physical risks for security and resiliency. HSCC has compiled impressive deliverables
in its short existence, including a technical volume 1 and volume 2 for small and medium/large hospitals.
Legacy medical devices have been recognized as particularly vulnerable to cyber threats as cybersecurity for these devices may not have been considered in the initial device design. Replacing technologies is not always feasible. This challenge will no doubt be compounded by the financial challenges hospitals are experiencing
as they resume non-urgent care.
Cybersecurity risk-benefit analyses will likely be weighed with the primary goal of patient safety. An effort will be underway to identify compensating controls which may be able to provide a security baseline level of protection. This effort may include mechanisms for updates and patches to be maintained over a device’s clinical useful life. Topics could include whitelisting, hardening and micro-segmenting a network.
One of the leads in the Legacy Medical Device Task Group, Mike Powers, a clinical engineer from Delaware, summarized his hope for the Task Group by noting his wish to help “create an environment or platform where devices which are currently unsupported, can, in fact, become supported”. Reacting to the launch of the Task Group, West Virginia based Radon Medical Imaging Corporation’s president Tim Martin commented, “We are interested in the takeaways. We are committed to cybersecurity. It is on our mind today and every day.”