Legacy medical devices, growing hacker threats create perfect storm of cybersecurity risks

While ransomware attacks on hospitals and health systems are growing in sophistication, healthcare organizations are faced with one of their biggest cybersecurity challenges — defending older legacy medical devices against new cyber threats.

Legacy medical devices in current use by healthcare organizations were designed and manufactured long before the medtech industry was thinking critically about cybersecurity features. Many older medical devices in operation today — using outdated or insecure software, hardware and protocols — were not built with cyber protections in mind leaving healthcare organizations vulnerable to attack and putting the reputation and financial stability of device companies at risk.

Despite the cybersecurity risks, the number of connected medical devices being used in hospital networks is rapidly increasing. Over the next decade, the number of connected medical devices — devices connected to the Internet — is expected to increase from 10 billion to 50 billion, according to IBM.

"Stuff that's 10-15 years old really was never designed to be on a network," according to David Finn, executive vice president at cybersecurity consulting firm CynergisTek and a former CIO of Texas Children's Hospital. "Anything that connects to the Internet is going to be at risk."

Making matters worse, legacy devices are using operating systems such as Windows XP that Microsoft no longer supports with security patches and updates.

"That's 20 years old. But some of these large pieces of medical equipment can last that long and still function from a medical perspective just fine," acknowledged Zach Rothstein, AdvaMed's vice president for technology and regulatory affairs.

Internet of things cybersecurity company Forescout, in a 2020 device security report, predicted that healthcare organizations will have to deal with medical devices running legacy operating systems for the foreseeable future.

"The percentage of devices running entirely unsupported [OS] versions has not changed, remaining constant at 0.4% (between 2019 and 2020). This includes now-obsolete Windows OSes like Windows XP and Windows Server 2003," the report notes, suggesting the legacy OS problem will continue well into the future.

While a small number, systems most impacted tend to be some of the most critical devices in healthcare organizations supporting clinical care, such as insulin pumps and ventilators, the report notes.   

Marc Schlessinger, a senior associate at watchdog group ECRI, said medical device security is often among the weakest links in a healthcare organization and called legacy devices a particularly challenging area because of well-known vulnerabilities that can't be patched.

Chris Gates, director of product security at medical device engineering firm Velentium, argues that "you can't always bolt-on security after the fact, especially with a legacy piece of equipment — I've literally handed checks back to clients and told them there's no fixing this."

As recently as last year, Schlessinger said he saw older equipment in hospitals running on Windows 98, despite the fact that Microsoft stopped all support for the operating system in 2006. These kinds of OS issues are common with aging medical imaging systems.

"But you're not going to find a hospital who is very quick to replace a $1.5 million MRI or CT because the operating system is outdated," Schlessinger said. Instead, he recommends healthcare organizations employ best practices to manage security risks including isolating connected medical devices as much as possible from hospital networks.

At the same time, Schlessinger acknowledges that disconnecting devices from hospital networks is often not practical, as doing so could disrupt clinical workflow critical to patient care.

Velentium's Gates, who defines legacy medical devices as those systems that cannot be brought up to current cybersecurity standards, contends the U.S. needs to get rid of those devices that are "highly insecure" and have been in hospitals for 20 years or more. "Let's clean out the dead wood," he said.

However, limited financial and staffing resources amid competing priorities at healthcare organizations are major obstacles to fixing vulnerabilities in legacy medical devices because it is not cost-practical to either replace them or remediate them.

The problem is that security analysts and regulators are "too busy trying to keep up with potential vulnerabilities in new devices to spend time on medical systems that have been in clinical use for years," according to Mike Rushanan, director of medical security at consultancy Harbor Labs. The same cannot be said of the hacker community, which he argues has the resources and patience to continually find new cybersecurity vulnerabilities.

Hospitals, devicemakers spar over responsibility, regs

Cybersecurity experts maintain that identifying and classifying medical devices running legacy operating systems are critical for risk mitigation, recommending devices that cannot be retired or patched be segmented to restrict access to critical information and services only.