Legacy medical devices, growing hacker threats create perfect storm of cybersecurity risks
While ransomware attacks on hospitals and health systems are growing in sophistication, healthcare organizations are faced with one of their biggest cybersecurity challenges — defending older legacy medical devices against new cyber threats.
Legacy medical devices in current use by healthcare
organizations were designed and manufactured long before the medtech industry
was thinking critically about cybersecurity features. Many older medical
devices in operation today — using outdated or insecure software, hardware and
protocols — were not built with cyber protections in mind leaving healthcare
organizations vulnerable to attack and putting the reputation and financial
stability of device companies at risk.
Despite the cybersecurity risks, the number of connected
medical devices being used in hospital networks is rapidly increasing. Over the
next decade, the number of connected medical devices — devices connected to the
Internet — is expected to increase from 10 billion to 50 billion, according to
IBM.
"Stuff that's 10-15 years old really was never designed
to be on a network," according to David Finn, executive vice president at
cybersecurity consulting firm CynergisTek and a former CIO of Texas Children's
Hospital. "Anything that connects to the Internet is going to be at
risk."
Making matters worse, legacy devices are using operating
systems such as Windows XP that Microsoft no longer supports with security
patches and updates.
"That's 20 years old. But some of these large pieces of
medical equipment can last that long and still function from a medical
perspective just fine," acknowledged Zach Rothstein, AdvaMed's vice
president for technology and regulatory affairs.
Internet of things cybersecurity company Forescout, in a
2020 device security report, predicted that healthcare organizations will have
to deal with medical devices running legacy operating systems for the
foreseeable future.
"The percentage of devices running entirely unsupported
[OS] versions has not changed, remaining constant at 0.4% (between 2019 and
2020). This includes now-obsolete Windows OSes like Windows XP and Windows
Server 2003," the report notes, suggesting the legacy OS problem will
continue well into the future.
While a small number, systems most impacted tend to be some
of the most critical devices in healthcare organizations supporting clinical
care, such as insulin pumps and ventilators, the report notes.
Marc Schlessinger, a senior associate at watchdog group
ECRI, said medical device security is often among the weakest links in a
healthcare organization and called legacy devices a particularly challenging
area because of well-known vulnerabilities that can't be patched.
Chris Gates, director of product security at medical device
engineering firm Velentium, argues that "you can't always bolt-on security
after the fact, especially with a legacy piece of equipment — I've literally
handed checks back to clients and told them there's no fixing this."
As recently as last year, Schlessinger said he saw older
equipment in hospitals running on Windows 98, despite the fact that Microsoft
stopped all support for the operating system in 2006. These kinds of OS issues
are common with aging medical imaging systems.
"But you're not going to find a hospital who is very
quick to replace a $1.5 million MRI or CT because the operating system is
outdated," Schlessinger said. Instead, he recommends healthcare
organizations employ best practices to manage security risks including
isolating connected medical devices as much as possible from hospital networks.
At the same time, Schlessinger acknowledges that
disconnecting devices from hospital networks is often not practical, as doing
so could disrupt clinical workflow critical to patient care.
Velentium's Gates, who defines legacy medical devices as
those systems that cannot be brought up to current cybersecurity standards,
contends the U.S. needs to get rid of those devices that are "highly
insecure" and have been in hospitals for 20 years or more. "Let's
clean out the dead wood," he said.
However, limited financial and staffing resources amid
competing priorities at healthcare organizations are major obstacles to fixing
vulnerabilities in legacy medical devices because it is not cost-practical to
either replace them or remediate them.
The problem is that security analysts and regulators are
"too busy trying to keep up with potential vulnerabilities in new devices
to spend time on medical systems that have been in clinical use for
years," according to Mike Rushanan, director of medical security at
consultancy Harbor Labs. The same cannot be said of the hacker community, which
he argues has the resources and patience to continually find new cybersecurity
vulnerabilities.
Hospitals, devicemakers spar over responsibility, regs
Cybersecurity experts maintain that identifying and
classifying medical devices running legacy operating systems are critical for
risk mitigation, recommending devices that cannot be retired or patched be
segmented to restrict access to critical information and services only.
Comments
Post a Comment