HSCC Legacy Medical Device Task Group Aims to Mitigate Cyber Threats

May 13, 2020 By Robert J. Kerwin

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: https://www.dotmed.com/news/story/51199 

In April, the FBI reported a global increase in malicious cyberactivity targeting U.S. Healthcare providers, noting that the cyberactivity was exploiting fear derived from the COVID-19 pandemic, including targeted phishing attempts with subject lines and content related to COVID-19. This increase in cyberactivity is part of a general rise in cyber threats and data breaches as reported by HHS’s Civil Rights Division. In light of the increased incidence of healthcare cybersecurity issues, it is heartening to know that efforts are ongoing to protect medical devices. 

A public-private partnership of companies, nonprofits and industry associations known as the Healthcare & Public Health Sector Coordinating Councils (HSCC) has formed a Legacy Medical Device Task Group to develop planning guidance to mitigate cyber and physical risks. HSCC is pursuing this initiative in the wake of the Cybersecurity Act of 2015 and presidential executive order [PPD-21], which directed the secretary of Homeland Security, among others, to undertake public-private engagements with critical infrastructure sectors to identify cyber and 

physical risks for security and resiliency. HSCC has compiled impressive deliverables in its short existence, including a technical volume 1 and volume 2 for small and medium/large hospitals. 

Legacy medical devices have been recognized as particularly vulnerable to cyber threats as cybersecurity for these devices may not have been considered in the initial device design. Replacing technologies is not always feasible. This challenge will no doubt be compounded by the financial challenges hospitals are experiencing as they resume non-urgent care. 

Cybersecurity risk-benefit analyses will likely be weighed with the primary goal of patient safety. An effort will be underway to identify compensating controls which may be able to provide a security baseline level of protection. This effort may include mechanisms for updates and patches to be maintained over a device’s clinical useful life. Topics could include whitelisting, hardening and micro-segmenting a network. 

One of the leads in the Legacy Medical Device Task Group, Mike Powers, a clinical engineer from Delaware, summarized his hope for the Task Group by noting his wish to help “create an environment or platform where devices which are currently unsupported, can, in fact, become supported”. Reacting to the launch of the Task Group, West Virginia based Radon Medical Imaging Corporation’s president Tim Martin commented, “We are interested in the takeaways. We are committed to cybersecurity. It is on our mind today and every day.” 

There were also expressions of caution concerning the Task Group endeavors. IAMERS president Diana Upton offered, “we are hearing increased reports that when cyber patches and upgrades are being applied, some are not able to continue maintenance, as the software permits only the original manufacturer thereafter to undertake service. Given the frequency of patches, the system interdependencies and the number of modalities to be supported, we hope cybersecurity support solutions could be safely developed which still give hospitals cost- effective choices.” 

The Task Group members include an array of representatives from industry manufacturers, HDOs, trade associations and other stakeholders. We await their recommendations for greater cybersecurity for legacy devices. 

About the author: Robert J. Kerwin is general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers, and a member of the HSCC Legacy Medical Device Task Group. 

Implementation of the EU MDRs Delayed Until 26 May 2021

IAMERS continues its role, albeit virtually, as an official observer to the European Commission Medical Device Coordination Group. IAMERS has been participating in the MDCG Subgroup on the MDR regulations on Post Market Surveillance and Vigilance. Under these regulations, manufacturers will be furnishing to member country regulators no less than annually reports on the safety of all medical devices. Due to the COVID-19 pandemic the implementation of the applicable regulations has been delayed to 26 May 2021.

IAMERS Joins Healthcare Sector Coordinating Council Cybersecurity Working Group

IAMERS has joined on behalf of its members the Healthcare Sector Coordinating Council. The HSCC is a private-sector organized and managed council created to establish a process to coordinate improvements to the security of critical infrastructure. The U.S. Department of Homeland Security is required to engage and consider the advice of the Sector Coordinating Councils. This Sector Council engages in planning, collaboration and decision making efforts for the purpose of strengthening the security and resiliency of the sector’s delivery of services and assets essential for the health of U.S. citizens. IAMERS is currently participating on two HSCC cybersecurity initiatives: HSCC’s Legacy Medical Device Task Force; and Model Contracts. For more information about HSCC see https://healthsectorcouncil.org/hscc-cybersecurity-working-group-charter/.

Continued Advocacy

As many of you know we are continuing our advocacy (albeit virtually) with the Congress, EU and others. We wanted to bring to your attention, IAMERS latest efforts to advocate for greater access to service access information.

Read more about our efforts here.

Page 2 of 9512345...102030...Last »