TORONTO — A ransomware attack earlier this year on the Ascension health system brought systems down across multiple states, forcing pharmacies to close and clinicians to switch to paper records.
The incident is one of several examples of the challenges faced as hospitals have increasingly become targets of cyberattacks. Regulators and medical device companies discussed recent attacks and how to prevent them at Advamed’s The Medtech Conference on Wednesday.
“These are becoming more and more frequent, unfortunately,” said Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the Food and Drug Administration’s device center.
Congress passed regulations in 2023 specifying cybersecurity requirements for medical device manufacturers, and the FDA issued a final guidance later that year.
The new regulations are designed to ensure future devices are secure, but one thing still keeps regulators up at night: legacy medical devices, or machines that have outdated or unsupported software.
Many legacy devices or systems are currently in operation in hospitals. They perform as intended but may have outdated operating systems, which can present cybersecurity vulnerabilities, Schwartz said.
As recently as this summer, the FDA saw submissions for new devices that would run on outdated, unsupported operating systems, according to Schwartz. Such devices are not allowed under the new cybersecurity rules.
The new legislation is designed to minimize the current problem of legacy devices, but “what we’re left with right now remains a huge challenge,” Schwartz added.
In some cases, technical debt is also handed down, when hospitals sell old devices to smaller hospitals, said Chris Reed, Medtronic’s senior director of cybersecurity policy.
“We keep passing the debt around, which makes the environment really hard to secure,” Reed added.
Plan for systems to age
Fixing the problem of legacy medical devices requires medtech companies and hospitals to work together. However, there are some strategies device developers can keep in mind.
Reed advised that companies think ahead about their systems and have a plan for updates. “We’ve sometimes made some bad choices, frankly, around using consumer operating systems like Android for devices, but not really having a good plan of how we’re actually going to keep up with Android the way their ecosystem works,” Reed said.
“They will have a new version of Android out every year, and then immediately one, three versions ago is out of support. That’s fast for medical devices to move.”
Troubleshooting the problem meant figuring out how to get reasonably regular updates to devices. Another solution was to change the device design to a simpler one that wasn’t running on a consumer operating system, and communicate those changes to the FDA, Reed said.
Ashley Mancuso, who oversees product security for Johnson & Johnson Medtech, also highlighted the importance of being able to continuously patch devices in a reasonable timeframe. If a patch does not impact a device’s fit, form or function, the company has developed an accelerated patching process.
“We have successfully been able to create a much more accelerated process to ultimately be able to ensure that patch gets into the device and it ends up being secure,” Mancuso said.
Schwartz said the problem of operating systems being on a different trajectory than medical devices is one the FDA sees frequently.
“That becomes a bigger issue than the FDA can solve on its own, and that is why a lot of our focus has been on, how do we really bring the ecosystem together towards addressing this?” Schwartz said.
The agency has worked with the International Medical Device Regulators Forum, including Health Canada, to address the problem.
“I don’t have necessarily a satisfying answer right now, other than to say … it’s a work in progress,” Schwartz said. “We have to continue trying to address this by bringing all these stakeholders together.”