The Food and Drug Administration implemented sweeping new regulations last year to improve cybersecurity oversight of medical devices, as cyber-attackers continued to target hospitals. However, the regulator and cyber experts are still struggling to solve one specific threat: legacy medical devices.
Hospitals and health systems across the U.S. are filled with medical technology that use outdated or soon-to-be outdated software, leaving a hole in facilities’ cyber defenses. While devices are rarely the targets of cyberattacks, unsupported legacy medical devices can still be affected by an attack on a hospital’s network, potentially requiring critical equipment to be shut down and jeopardizing patient safety.
“There's this constant tension between trying to secure the device, the economics of keeping older devices, and the priority of taking care of patients in urgent situations where the devices need to be network-connected,” said John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk.
In 2023, the FDA’s Center for Devices and Radiological Health implemented new regulations and guidance designed to minimize cybersecurity risks in medical devices. The new rules prioritized stricter cybersecurity requirements before devices go to market and more comprehensive monitoring standards once products are released.
Experts hailed the regulations as the start of a new era where cybersecurity is finally taken as seriously as it should be.
A crucial piece of the effort involved ensuring that devices going to hospitals would not quickly become outdated and requiring manufacturers to develop specific plans for monitoring and updating or patching older software.
However, a solution remains elusive for the massive number of devices currently in hospitals that may be running on outdated and unsupported software. Nastassia Tamari, director of the CDRH’s Division of Medical Device Cybersecurity, told MedTech Dive in March that no one knows how many legacy devices are in hospitals because there isn’t reliable data. Tamari explained that legacy devices are currently one of the industry’s biggest issues, “with no answer right now.”
Some legacy devices are vital for patient care, so hospitals cannot easily turn them off as a safety measure. Meanwhile, some unsupported devices are expensive, and hospitals cannot simply buy a new machine once the software becomes outdated.
“It is a big problem,” said Ty Greenhalgh, industry principal of healthcare at the cybersecurity firm Medigate by Claroty. “It's so complex ... it's difficult to understand the problem, let alone the solution.”
MedTech Dive spoke with cybersecurity experts about how medical device manufacturers and hospitals can mitigate the risks presented by legacy devices. Here are four steps they recommended:
1. Identify devices
Cybersecurity experts said the first step to addressing the issue of legacy devices is for hospitals to identify how many devices are connected to their network. This can be complicated due to the overwhelming number of potentially connected items.
“We have a massive amount of systems that connect to hospital networks today that are largely unmanaged, or if they are managed, they're quasi-managed by facilities or a third party,” said Richard Staynings, chief security strategist for Cylera, a computer and network security company. “The first things we need to do — and this is something that healthcare does a very bad job of today — is to understand what connects to our networks.”
While the first step may seem rather straightforward, it can be burdensome for individual providers, regulators and device manufacturers.
Claroty’s Greenhalgh said identifying connected devices, including legacy machines, is “damn near impossible.” Hospitals can have hundreds of thousands of machines connected to their networks, everything from medical devices to IT systems, phones and laptops. Greenhalgh explained that identifying a specific machine can be complicated even after it’s found connected to the network, because something like an imaging machine can appear as a “Windows device,” not a medical device.
“The problem is really not as clear as people want it to be,” added Greenhalgh. “But we're getting there.”
Once devices are identified, a hospital's network needs to be continually monitored to identify new devices, threats and discover if any patches or updates are required.
2. Understand vulnerabilities
The next step is to understand the risks that network-connected devices could pose. Some machines may need to be updated with patches or will require updating as soon as operating systems become unsupported, while others may already be outdated with no patches available.
Understanding where vulnerabilities lie is important, so facilities can prepare for emergencies, especially with medical devices used to treat or diagnose patients. Ransomware or another form of a cyberattack can spread throughout a hospital’s system, taking down medical devices like CT scanners and MRI machines, along with other capabilities dependent on that facility’s network.
“Some of the legacy technology does not have basic security features such as encryption of data, encryption of transmission. Some of them still have no passwords or hard-coded passwords you can look up on the internet in the technician’s manual,” said AHA’s Riggi, who worked in various cybersecurity roles for more than five years at the FBI. “The devices still work as designed. They were designed to be durable … It's the operating system, the software, that becomes out of date or is filled with vulnerabilities.”
A software bill of materials (SBOM) is one tool medical device manufacturers can use to help providers know what updates or patches equipment may require, allowing them to better understand potential vulnerabilities. An SBOM is an inventory of all the software components that make up a device.
A detailed SBOM from a device firm can also help hospitals identify machines connected to its network and how to patch or update them if needed, said Anura Fernando, a principal security adviser and global head of medical device security for UL Solutions. Fernando added that an SBOM can trigger a conversation between device manufacturers and hospitals to discuss whether a machine is vulnerable and what controls are in place to manage those risks.
“Some of the legacy technology does not have basic security features such as encryption of data, encryption of transmission. Some of them still have no passwords or hard-coded passwords you can look up on the internet in the technician’s manual.”
John Riggi
American Hospital Association, national adviser for cybersecurity and risk
Under the regulations implemented last year, the FDA now requires manufacturers to supply SBOMs for devices. While some have praised this as an improvement over prior standards, experts have stressed that manufacturers still need to develop devices that are as secure as possible before selling them and should not lean on patches as a development crutch.
“Once you understand how they work, then you can start locking down those devices in a way that allows for improved cybersecurity,” Cylera’s Staynings said. “Let's just assume that we can never patch legacy devices — some can, some can't — but assume worst case scenario, and in that way, what we've been able to do is to protect patient safety and the integrity and security of medical networks.”
3. Use network segmentation
After identifying legacy devices and understanding potential risks, some devices may pose enough of a threat to be contained in their own networks, a process called network segmentation. This step is a safety measure to prevent a cyber threat on a network from reaching a vulnerable device or spreading if the device is compromised.
Network segmentation is a crucial strategy because cyberattacks can spread quickly, not allowing time to protect machines during or after an attack.
“Malware can spread laterally across the network, and before you know it, the entire hospital is down,” Staynings said. “Ambulances are being diverted, patients are being medevac-ed out of hospitals to other nearby facilities, and the costs of restoration and recovery go into the millions and millions of dollars very, very quickly.”
Segmentation does not always mean that machines are closed off completely.
Greenhalgh explained that segmented machines can still be connected to others that are part of a system. For example, an imaging workstation talks to three or four other machines to operate, and these can be segmented in a way that allows them to communicate with “clinically relevant” devices. Administrators can then continue to monitor the machines’ behavior, communicate with medical device companies and act on risks if needed.
Vulnerable legacy devices can also be “air-gapped,” completely closing them off from the network. UL Solutions’ Fernando said that an air gap allows software to keep running, and the step can continue the life of a machine beyond the end of support.
Fernando said that air-gapped devices could still be compromised from USB connections and memory sticks, for example, but “if you put strong access control and physical security policies around an air-gapped device, then you should be able to avoid” many pitfalls.
“There’s this constant tension between trying to secure the device, the economics of keeping older devices, and the priority of taking care of patients in urgent situations where the devices need to be network-connected.”
John Riggi
American Hospital Association, national adviser for cybersecurity and risk
4. Shut down devices
Finally, if a device presents too much of a risk even after segmentation, or it has been corrupted by a cyberattack, hospitals can disconnect it from a network and the internet entirely. However, this is not always an easy decision to make. Deciding to shut down a medical device requires weighing the risk of the threat versus its essentiality for patient care, and replacing a device is expensive.
AHA’s Riggi called shutting down a device the “option of last resort.” If a machine has to be shut down, hospitals need to develop contingency plans, which may include redirecting patients to other facilities. They also must communicate with medical device manufacturers about implementing controls.
“We need to focus on how will we care for patients in the absence of technology for 30 days or longer, because that is the average time we're seeing that it takes for ransomware victims — hospitals — to at least stand back up their core systems,” Riggi added.
Regardless of how well risks are managed or new regulations address the issues, outdated and unsupported machines will always challenge the market simply because software ages and technology keeps advancing.
Complicating the problem is the number of parties involved. Device companies develop and manufacture the products, hospitals monitor the devices and are responsible for connected networks, and various regulators oversee different aspects of the healthcare industry — and all are needed to protect against cyberattacks.
Experts think work is still needed to address current challenges despite the new regulations, particularly strategies to address legacy machines that are currently hospitals today.
Riggi said stricter oversight will help, but “it could take a generation before all that old legacy technology is out of service.”