- A report commissioned by the Food and Drug Administration has provided recommendations for how to manage the cybersecurity risks of legacy medical devices.
- Old medical devices pose significant risks if they cannot be reasonably protected against current cybersecurity threats. However, the devices were put on the market legally, and removing them from use has implications for patient safety, clinical operations and healthcare provider finances.
- The FDA asked MITRE to look into the topic, resulting in a report that proposes actions that include research into more modular medical devices and the collection of data on cybersecurity risks.
Congress tasked the FDA with ensuring the cybersecurity of medical devices at the end of last year. The administration published final guidance on premarket submissions in September. However, the advice is focused on newly authorized medical devices and lacks provisions for protecting older products already on the market.
The MITRE report forms part of the FDA’s work to mitigate the risks of legacy devices, which are defined as products that cannot be reasonably protected against current cybersecurity threats. Software patches cannot mitigate the risks because the devices have outdated technology and compatibility issues.
MITRE interviewed medical device manufacturers, healthcare providers and cybersecurity experts to formulate nine recommendations for countering the risks posed by legacy devices. The recommendations are intended to address challenges related to divergent definitions of medical device lifetimes and lifecycle phases, hospitals that lack the resources to buy new devices and more.
The first recommendation is to collect data that supports “informed decisions about the risks and costs of replacement versus the continued use of legacy devices.” Healthcare providers and medical device manufacturers “need to better understand each other’s constraints,” the report states, and aggregated data could “inform policies, regulations and the development of incentives for replacing legacy devices.”
Another recommendation is intended to stop new devices from becoming legacy devices. MITRE wants to see more research into modular medical devices. Isolating the software platform and clinical software and splitting hardware components across multiple circuit boards could enable healthcare providers to upgrade legacy software and hardware without replacing the entire medical device.
“There are economic considerations in the adoption of modular design, and the data recommended to be gathered during the collection pilot may be able to contribute to the discussion about the tradeoffs,” the report states.
Other recommendations include the creation of an information sharing agreement template to increase transparency between medical device manufacturers, healthcare organizations and security architecture working groups, giving the parties visibility into device security and providers’ networks and security environments that are typically kept secret.
The FDA said the report “outlines practical approaches and recommendations that build on previous work and can further drive sector-wide legacy device cyber risk management efforts.”