By Steven Hughes
The title of this article may sound like the old Internet meme, “ALL YOUR BASE ARE BELONG TO US.” from the opening cutscene of the popular video game Zero Wing and may or may not be a hard thing to hear, but it is true – all technologies can become a legacy technology devoid of any future updates and cannot be reasonably protected against current cyber threats. This is because all technologies age and will eventually become “legacy.” Legacy medical technologies are not only a cybersecurity threat due to being solely unsupported by the original manufacturer or provider, but also contain hundreds to thousands of known, potentially exploitable vulnerabilities while they continue to perform essential critical functions in clinical environments, where replacing or updating them is a complex and expensive process.
HELP IS ON THE WAY
The Consolidated Appropriations Act of 2023 is a $1.7 trillion omnibus spending bill signed into law at the end of 2022 containing new cybersecurity requirements for medical device technology that mirrors several recommendations made by the FDA’s Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. The FDA Draft Guidance recommended to medical device manufacturers (MDMs) to address in their premarket submissions to the agency to include cybersecurity device design, labeling and documentation, details about threat modeling, security controls and a Software Bill of Materials (SBOM). This new legislation includes provisions requiring MDMs to document that their products can be updated and patched and to provide a SBOM for commercial, open-source and off-the-shelf software components used in medical device technology. This moves the security of medical device technology from “desired” to “required” by statute giving the FDA explicit authority and oversight, which before was only implicit authority. While the new legislation only applies to new devices it will ensure that those devices will remain secure and mature throughout the entire life cycle.
To assist public and private health care sectors prevent cybersecurity incidents, the Health Sector Coordinating Council (HSCC) and the U.S. Department of Health and Human Services (HHS) through the Administration for Strategic Preparedness and Response (ASPR) released a Cybersecurity Framework Implementation guide. This guide serves as a road map to assist health care organizations assess their cyber health and resilience in evaluating their current cybersecurity practices and risks and take actions to understand, measure, assess, manage, communicate and improve cybersecurity by implementing the NIST Cybersecurity Framework (CSF). The CSF is vendor and technology neutral. NIST recognizes that the technology landscape is continuously changing and the CSF is intended to be a living document that is refined and improved over time with direct community feedback and involvement to assist organizations reach cybersecurity maturity and improvement by following NIST’s Five Functions included in the Framework Core: Identify, Protect, Detect, Respond and Recover.
The HSCC also recently released the Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS) which defines the shared responsibilities and tasks for mitigating cyber risk caused by legacy medical technologies used in health care environments and those currently in development. The 115-page comprehensive guide recommends cybersecurity strategies that MDMs, health delivery organizations (HDOs) and independent service organizations (ISOs) can implement for managing legacy medical technology as a shared responsibility and provides insights for designing future secure medical technology.
FUTURE PROOFING AGAINST BECOMING A LEGACY
HDOs and ISOs must communicate with MDMs on their current inventory of devices and create a life cycle plan with a decommissioning policy and procedure to manage their current inventory of medical devices and “future plan” for the phasing out and replacement of medical technology as they approach end of guaranteed support (EOGS) – the point after which the manufacturer no longer guarantees full support, end of life (EOL) – the point a product reaches the end of its life cycle where the manufacturer no longer sells the product beyond its useful life as defined by the manufacturer EOL process which includes notification to end users, or end of support (EOS) – the point after which the manufacturer no longer guarantees full support.
To minimize phasing into a legacy state MDMs and technology providers must be transparent and provide technology and components that are updatable and replaceable over time, design for devices and software to be modular, use supported standards-based protocols, include detection and monitoring capabilities, forecast and communicate potential or planned EOGS/EOL/EOS dates, ship medical technologies with supported operating systems and supporting third-party software so it runs the “latest and greatest” out of the box with minimal updates. MDMs and technology providers should also seek out “preferred” software suppliers that provide ongoing software support, provide software supply chain information and their included dependencies, provide the needed documentation to support risk management and regulatory compliance, engage in collaborative exchange regarding best practices in design and secure architecture requirements and proactively engage in cyber risk management activities.
Patching is critically important but is extremely difficult to effectively manage without information and communication from the MDM on approved updates, managing lag time on patch availability, having the ability to easily access patches and coordinating patching without disturbing clinical care. Coordinating and communicating patching efforts and software updates between MDMs and HDO/ISOs is critical for its success. Efforts should be designed and engineered to automate these efforts whenever possible, allow for secure remote management and, if possible, provide a way of communicating the state of patches, updates and versioning to the HDO/ISO through an application programming interface (API) or system/web service.
Patching is a crucial part of legacy risk management, however an overreliance on patching is an inherit risk and the health technology sector should attempt to reduce its current reliance on patching through an improved technology design and maintenance practices designed from the ground up to meet current and future needs. The health care sector faces a significant legacy technology challenge because many current legacy technologies were not designed to be secure from their inception, nor were they designed to remain secure over an extended time well beyond their planned life expectancy. Until current practices change, the health care sector will remain caught in this endless loop of being insecure and having insecurable “future legacy” technologies that were at one time current become insecure “current legacy” technologies which remain exposed to the increasingly severe cybersecurity risks that legacy technologies pose. Thanks to the tremendous collaborative effort and hard work of the entire medical device community for working collectively together to improve medical technology cybersecurity, we are making significant improvements that everyone benefits from.
Steven Hughes, FAC-COR FACP/PM VHA-CM, is a VISN 21 Biomedical Engineer in the VA Sierra Pacific Network.
