May 13, 2020 By Robert J. Kerwin

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: 

In April, the FBI reported a global increase in malicious cyberactivity targeting U.S. Healthcare providers, noting that the cyberactivity was exploiting fear derived from the COVID-19 pandemic, including targeted phishing attempts with subject lines and content related to COVID-19. This increase in cyberactivity is part of a general rise in cyber threats and data breaches as reported by HHS’s Civil Rights Division. In light of the increased incidence of healthcare cybersecurity issues, it is heartening to know that efforts are ongoing to protect medical devices. 

A public-private partnership of companies, nonprofits and industry associations known as the Healthcare & Public Health Sector Coordinating Councils (HSCC) has formed a Legacy Medical Device Task Group to develop planning guidance to mitigate cyber and physical risks. HSCC is pursuing this initiative in the wake of the Cybersecurity Act of 2015 and presidential executive order [PPD-21], which directed the secretary of Homeland Security, among others, to undertake public-private engagements with critical infrastructure sectors to identify cyber and 

physical risks for security and resiliency. HSCC has compiled impressive deliverables in its short existence, including a technical volume 1 and volume 2 for small and medium/large hospitals. 

Legacy medical devices have been recognized as particularly vulnerable to cyber threats as cybersecurity for these devices may not have been considered in the initial device design. Replacing technologies is not always feasible. This challenge will no doubt be compounded by the financial challenges hospitals are experiencing as they resume non-urgent care. 

Cybersecurity risk-benefit analyses will likely be weighed with the primary goal of patient safety. An effort will be underway to identify compensating controls which may be able to provide a security baseline level of protection. This effort may include mechanisms for updates and patches to be maintained over a device’s clinical useful life. Topics could include whitelisting, hardening and micro-segmenting a network. 

One of the leads in the Legacy Medical Device Task Group, Mike Powers, a clinical engineer from Delaware, summarized his hope for the Task Group by noting his wish to help “create an environment or platform where devices which are currently unsupported, can, in fact, become supported”. Reacting to the launch of the Task Group, West Virginia based Radon Medical Imaging Corporation’s president Tim Martin commented, “We are interested in the takeaways. We are committed to cybersecurity. It is on our mind today and every day.” 

There were also expressions of caution concerning the Task Group endeavors. IAMERS president Diana Upton offered, “we are hearing increased reports that when cyber patches and upgrades are being applied, some are not able to continue maintenance, as the software permits only the original manufacturer thereafter to undertake service. Given the frequency of patches, the system interdependencies and the number of modalities to be supported, we hope cybersecurity support solutions could be safely developed which still give hospitals cost- effective choices.” 

The Task Group members include an array of representatives from industry manufacturers, HDOs, trade associations and other stakeholders. We await their recommendations for greater cybersecurity for legacy devices. 

About the author: Robert J. Kerwin is general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers, and a member of the HSCC Legacy Medical Device Task Group.