4 steps to minimize the threat of legacy medical devices

This audio is auto-generated. Please let us know if you have feedback.

The Food and Drug Administration implemented sweeping new regulations last year to improve cybersecurity oversight of medical devices, as cyber-attackers continued to target hospitals. However, the regulator and cyber experts are still struggling to solve one specific threat: legacy medical devices.

Hospitals and health systems across the U.S. are filled with medical technology that use outdated or soon-to-be outdated software, leaving a hole in facilities’ cyber defenses. While devices are rarely the targets of cyberattacks, unsupported legacy medical devices can still be affected by an attack on a hospital’s network, potentially requiring critical equipment to be shut down and jeopardizing patient safety.

“There’s this constant tension between trying to secure the device, the economics of keeping older devices, and the priority of taking care of patients in urgent situations where the devices need to be network-connected,” said John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk.

In 2023, the FDA’s Center for Devices and Radiological Health implemented new regulations and guidance designed to minimize cybersecurity risks in medical devices. The new rules prioritized stricter cybersecurity requirements before devices go to market and more comprehensive monitoring standards once products are released.

Experts hailed the regulations as the start of a new era where cybersecurity is finally taken as seriously as it should be.

A crucial piece of the effort involved ensuring that devices going to hospitals would not quickly become outdated and requiring manufacturers to develop specific plans for monitoring and updating or patching older software.

However, a solution remains elusive for the massive number of devices currently in hospitals that may be running on outdated and unsupported software. Nastassia Tamari, director of the CDRH’s Division of Medical Device Cybersecurity, told MedTech Dive in March that no one knows how many legacy devices are in hospitals because there isn’t reliable data. Tamari explained that legacy devices are currently one of the industry’s biggest issues, “with no answer right now.”

Some legacy devices are vital for patient care, so hospitals cannot easily turn them off as a safety measure. Meanwhile, some unsupported devices are expensive, and hospitals cannot simply buy a new machine once the software becomes outdated.

“It is a big problem,” said Ty Greenhalgh, industry principal of healthcare at the cybersecurity firm Medigate by Claroty. “It’s so complex … it’s difficult to understand the problem, let alone the solution.”

MedTech Dive spoke with cybersecurity experts about how medical device manufacturers and hospitals can mitigate the risks presented by legacy devices. Here are four steps they recommended:

1. Identify devices

Cybersecurity experts said the first step to addressing the issue of legacy devices is for hospitals to identify how many devices are connected to their network. This can be complicated due to the overwhelming number of potentially connected items.

“We have a massive amount of systems that connect to hospital networks today that are largely unmanaged, or if they are managed, they’re quasi-managed by facilities or a third party,” said Richard Staynings, chief security strategist for Cylera, a computer and network security company. “The first things we need to do — and this is something that healthcare does a very bad job of today — is to understand what connects to our networks.”

While the first step may seem rather straightforward, it can be burdensome for individual providers, regulators and device manufacturers.

Claroty’s Greenhalgh said identifying connected devices, including legacy machines, is “damn near impossible.” Hospitals can have hundreds of thousands of machines connected to their networks, everything from medical devices to IT systems, phones and laptops. Greenhalgh explained that identifying a specific machine can be complicated even after it’s found connected to the network, because something like an imaging machine can appear as a “Windows device,” not a medical device.

“The problem is really not as clear as people want it to be,” added Greenhalgh. “But we’re getting there.”

Once devices are identified, a hospital’s network needs to be continually monitored to identify new devices, threats and discover if any patches or updates are required.