Legacy devices report highlights need for data to support future policies
More data is needed to understand the risks legacy connected medical devices pose to the healthcare system, particularly in their vulnerability to cyberattack. That was the key finding of a report contracted by the US Food and Drug Administration to the MITRE Corporation. The report was released on 15 November.The report made four broad recommendations, including sharing responsibilities for legacy devices, managing vulnerabilities, workforce development, and creating partnerships. It also recommends several projects, including a project to study vulnerability management coordination and a pilot project to collect more data to help stakeholders make decisions about legacy devices.
"Legacy medical devices do present a heightened cybersecurity risk to the sector because, by internationally recognized definition, legacy medical devices are those that cannot be reasonably protected against current cybersecurity threats," Jessica Wilkerson, senior cyber policy advisor at the Center for Devices and Radiological Health’s (CDRH) Office of Strategic Partnerships and Technology Innovation, told Focus.
"When it comes to the recommendations, the biggest one is the data collection," said Wilkerson. "All parts of the sector at this point know that legacy medical devices are a problem, but in terms of having concrete data behind how many devices are legacy, where are the legacy devices, how old are they, how vulnerable are they? These questions are very difficult to answer because that data lives in so many different discrete organizations like hospitals, clinics, and patient homes throughout the country."
Many legacy devices are sold via the secondary market to healthcare delivery organizations that cannot afford newer products. Wilkerson noted that the data collection project may help answer important questions such as how often devices are sold, what devices are being sold, how old they are, how vulnerable they are, and what kinds of support are they receiving as part of the sales agreement.
Wilkerson said that the agency has not finalize details regarding the data collection project, including who should collect the data, where it should be housed, and how it should be used. Ultimately, she said, the main point is that the data collection is critical so the agency and other stakeholders can make better-informed decisions on how to address legacy devices.
"We can conceptually understand that the older medical devices get – especially those that may have been designed at a time when cyber threats were less prevalent, they were less severe, they were less frequent – [they] may face a different level of cybersecurity challenges than ones that are being designed today,” said Wilkerson.
“The issue of legacy devices…is not just an issue that is related to cybersecurity,” she added. “It brings in so many other areas and challenges, including the financial status of different organizations and whether or not they can afford to be refreshing devices. It brings in timelines of how long devices can be supported over their lifecycles. It brings in health equity issues."
Wilkerson said that deciding who is responsible for different parts of legacy device management is another important issue that the report tries to address. She noted that medical device manufacturers and healthcare delivery organizations often lack agreement on sharing responsibility, and that is exacerbated when organizations acquire hundreds of legacy devices without figuring out the details beforehand, especially as cyber threats continue to evolve.
Wilkerson noted that the report recommends vetted models for information-sharing and responsibility agreements that can be used by medical device manufacturers and healthcare delivery organizations. Using such models, she noted, can save organizations time and effort because they don’t have to come up with their own agreements.
Finally, Wilkerson said another key recommendation in the report is to look at the cybersecurity architecture of connected medical devices and the potential to use modular designs so that they can continue to be patched in the future and don’t become legacy products.
Now that the report is out, Wilkerson said the hope is to work within the federal government as well as with stakeholders such as the Healthcare Sector Coordinating Council (HSCC), and Health Information Sharing and Analysis Center (H-ISAC) to develop roadmaps and implement the recommendations.
MITRE legacy devices report
×
Welcome to the new RAPS Digital Experience
We have completed our migration to a new platform and are pleased to introduce the updated site.
What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.
We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.
We welcome your feedback. Please let us know how we can continue to improve your experience.