Principles and Practices for the Cybersecurity of Legacy Medical Devices – PT 1
Vital Communications Between Healthcare Provider Organizations and Medical Device Manufacturers During the 4 Stages of the Medical Device Life Cycle
Health care delivery responsibilities during the support life cycle stage
Read this and other blogs by Health-ISAC’s VP of Medical Device Security, Phil Englert, here:
Principles and Practices for the Cybersecurity of Legacy Medical Devices
February 1, 2024 – 5 MINS READ
In May 2022, the International Medical Devie Regulators Forum (IMDRF) published the “Principles and Practices for the Cybersecurity of Legacy Medical Devices.” This document is cataloged as IMDRF/CYBER WG/N70. The goal was to lay out framework guidance that both medical device manufacturers and health care delivery practitioners could use as a foundation for not only identifying which life cycle phase a medical device may be in but also the responsibilities each party may have in managing the cyber-related risks for those devices.
This column will focus on the health care delivery responsibilities identified in the IMDRF paper during the support life cycle stage and provide some contextual examples so health care providers (HCP) may more consistently implement the recommendations.
Legacy Devices
Before we begin the discussion, let’s start with some definitions so we are on the same page. We’ll begin with the definition of legacy devices. One definition of a legacy device is timebound. A device that is still in use after its expected useful life is exceeded. The American Hospital Association publishes an “Estimated Useful Lives of Depreciable Hospital Assets” to provide health care organizations with estimates for the productive period before assets become technically or commercially obsolete. Another definition may be technology-oriented, referring to outdated software or hardware components contained within still-active systems. Yet another approach is life cycle based. A device or technology that is outdated, unsupported, no longer in production and in need of replacement. For this paper, we will rely on the IMDRF definition of a legacy medical device as one “that cannot be reasonably protected against current cybersecurity threats. Note that by this definition, a device or system can become a ‘Legacy’ device at any time. Whenever a new tactic, technique or procedure used by threat actors to carry out attacks emerges from which the device cannot be protected, can change a device to legacy status.
The IMDRF N70 document describes four life cycle phases or stages, Development, Support, Limited Support, and EOS. This article concentrates on the Stage 2 or Support phase. Before discussing the health care provider’s responsibilities, let’s review the four phases.
Life Cycle Stage One – Development
Stage 1 or the Development phase is a pre-market stage where the medical device manufacturers (MDM) are expected to incorporate security by design principles. These include risk assessments, threat identification, security testing, and risk mitigation to ensure devices can operate safely and securely. Health care providers have little responsibilities at this stage but may be called upon to provide input.
Life Cycle Stage 2 – Support
In Stage 2 or the Support Phase, the device transitions from development to the market and is used for delivering patient care. The health care provider begins to assume some responsibilities in the support phase such as procurement, configuration, monitoring and – in some cases – patching and updating. Developing good communication practices between the HCP and MDM is essential for maintaining the most secure posture possible.
Life Cycle Stage 3 – Limited Support
Stage 3 or the Limited Support phase begins when the manufacturer declares end of life (EOL) for the product and no longer markets or sells it. During this phase, the HCP may continue to operate the device, and the device can be reasonably protected against current cybersecurity threats.
Life Cycle Stage 4 – End of Support
When devices fall into the End of Support phase or Stage 4, they can no longer be reasonably protected as they could in Stage 3. MDMs should communicate transitions at each stage well ahead of time, and communications should identify potential risks the HCP may inherit, as well as mitigation strategies and upgrade opportunities.
At each stage, the HCPs and MDMs have certain responsibilities for establishing and maintaining the security posture of the devices. The N70 document contains recommendations for three responsibility areas; Communications, Risk Management, and Transfer of Responsibility, and makes clear how the responsibilities shift from MDM to HCP as the product life cycle progresses. Let’s look at the three areas of responsibility of the health care provider. I encourage you to read the IMDRF N70 document to gain a solid understanding of the HCP and MDM responsibilities at each phase to better maintain a robust risk management program at every stage during the equipment life cycle.
Communications between the HCP and MDM in Stage 2 can establish the flow of information habits and practices that can keep devices working safely and securely throughout it’s productive life. Just as HCPs plan for periodic and on-demand maintenance activities, they should also identify what information is needed to maintain the cyber posture of the device. Identifying the information needed for equipment already in place can help keep it operational and make cyber readiness more efficient and cost-effective. Finding out if a device will receive updates, how often, and for how long can help you make appropriate operational, maintenance, and capital investment decisions. Use an established checklist when considering new equipment. In addition to the security questionnaire, obtain security operations information as well such as EOL/EOS dates, patch and update cycles, and update strategies for software components such as the operating systems and third-party components. Ask for the MDS2 and SBOM. Obtain secure configuration settings necessary ports, firewall rules, security scanning capabilities, security logging capabilities, and backup and restore procedures. Establishing an open and regular exchange of security information early in Stage 2 can help maximize the value while maintaining secure operations of essential patient care equipment.
In the next installment, we’ll continue this discussion with a review of Risk Management and Transfer of Responsibility as presented in the IMDRF Principles and Practices for the Cybersecurity of Legacy Medical Devices.
- Related Resources & News
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024
- Cyber Incident Response: Playbook for Medical Product Makers
- Feds Warn of Godzilla Webshell Threats to Health Sector
- Trump’s Return: Impact on Health Sector Cyber, HIPAA Regs
- Health-ISAC Hacking Healthcare 11-7-2024
- Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks
- All hospitals should be concerned about cyberattacks. Here’s why