In recent years, cyberattacks targeting healthcare systems have highlighted a critical vulnerability: legacy medical devices. These older devices, often running on unsupported software, create significant cybersecurity threats within healthcare facilities. The implementation of new FDA regulations aims to strengthen cybersecurity across the healthcare sector, yet the challenge of securing these outdated devices remains. Legacy medical devices, vital for patient care, cannot simply be shut down or replaced, creating a delicate balance between maintaining operational functionality and safeguarding against cyber risks. Here are four steps experts recommend to mitigate risks associated with legacy medical devices.
1. Discover Devices
The first step in mitigating risks from legacy medical devices is to accurately identify how many of these devices are connected to a hospital’s network. This process can be remarkably complex due to the sheer volume of connected systems. According to Richard Staynings, chief security strategist for Cylera, a computer and network security company, many hospital networks have a significant number of unmanaged systems or systems managed by third parties. Understanding the exact inventory of connected devices is critical, and unfortunately, healthcare providers often struggle with this task.
Hospitals can have hundreds of thousands of devices connected to their networks, ranging from medical devices like imaging machines to IT systems, phones, and laptops. Ty Greenhalgh from Claroty emphasizes that accurately identifying connected legacy devices can be nearly impossible. Often, devices appear under generic names, like a “Windows device,” making it difficult to determine what kind of machine is connected without deeper investigation. Despite the challenges, the importance of this step cannot be overstated as ongoing monitoring and inventory management are essential to identify new devices, potential threats, and necessary updates or patches.
2. Assess Exposures
Once devices are identified, the next step involves understanding the vulnerabilities these network-connected devices might have. Some devices may need immediate patches or updates, while others may already be outdated with no available updates. It’s critical for healthcare facilities to grasp these vulnerabilities so they can prepare for potential emergencies. Medical devices used in essential operations, such as CT scanners and MRI machines, can be severely impacted during a ransomware attack, causing widespread operational disruptions.
John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, points out that many legacy devices lack basic security features such as data encryption and password protections. Medical devices were designed to be durable, but the software they run on often becomes outdated and vulnerable. A valuable tool for understanding device vulnerabilities is the software bill of materials (SBOM), which inventories all the software components of a device. An SBOM can help providers identify machines connected to the network and understand what updates or patches may be necessary. Anura Fernando of UL Solutions highlights that an SBOM can also spark crucial discussions between device manufacturers and hospitals about managing these risks.
Under new FDA regulations, device manufacturers are now required to supply SBOMs for devices. While this is seen as a significant improvement, experts stress that manufacturers must still strive to make devices secure from the outset and should not overly rely on patches and updates as a primary security measure. Understanding how devices work allows for better cybersecurity measures to be put in place, ensuring patient safety and the integrity of medical networks.
3. Implement Network Division
For any devices identified as highly vulnerable, hospitals can employ network segmentation to isolate these devices on separate networks. Network segmentation is a proactive measure to prevent a cyber threat from spreading to or from a compromised device. This technique is particularly effective because cyberattacks can propagate rapidly, leaving little time to react before significant damage occurs.
Network segmentation doesn’t necessarily mean complete isolation of vulnerable devices. Devices can still be connected internally to other necessary systems while being isolated from broader network access. For example, an imaging workstation that needs to communicate with other medical equipment can be segmented to only interact with clinically relevant devices. Ty Greenhalgh explains that while these machines are segmented, they can still be monitored and managed to mitigate risks continuously.
Moreover, some devices can be air-gapped, or entirely disconnected from the network, to prevent any potential cyber threats. An air gap allows the machine to keep operating beyond the support life of its software, with rigorous access control and physical security measures to prevent compromise from physical sources, like USB drives. Although this is not a perfect solution, it adds a layer of security and extends the device’s usability while ensuring patient safety.
4. Shut Down Devices
While shutting down devices completely may not always be an option, hospitals must develop a preparedness plan that includes the ability to shut down or isolate systems in the event of a cyberattack. This should involve a coordinated effort among IT departments, medical staff, and device manufacturers to ensure any shutdowns or service interruptions have the least possible impact on patient care. Hospitals should continually evaluate which devices are most crucial and create protocols for swiftly dealing with compromised systems. Regular drills and comprehensive training can aid staff readiness and response in the face of potential cyber threats, further securing patient safety and the integrity of healthcare operations.
