The MITRE Corporation created the White Paper “Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks” in November 2023. While not official FDA guidance, it gathers insights from industry stakeholders, the FDA, and other government agencies. The paper discusses cybersecurity challenges related to using Legacy Medical Devices. Some of these devices are crucial in healthcare but face difficulties in guarding against modern cyber threats. Removing them outright could risk patient safety, operations, and finances. Due to outdated technology, regular updates may not work, requiring alternative ways to manage cyber risks. This paper builds on healthcare sector efforts, providing advice and immediate solutions. It highlights challenges in securing legacy medical devices, previous initiatives, difficulties in implementation, and suggestions to overcome these hurdles.
Before giving recommendations, the white paper presents some of the previous work done to support the resolution of legacy medical device cybersecurity issues and follows with some gaps that remain from these efforts. Below is a timeline that depicts the previous efforts outlined in the paper.
After providing some background, the remaining gaps are identified which the paper aims to fill.
Gaps in Existing Previous Work
- Data Shortage: There's not enough data for Health Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) to make informed decisions or shape future policies based on risk management frameworks.
- Unclear Device Lifecycles: Defining clear lifetimes and phases for medical devices is essential. It helps set shared responsibility between HDOs and MDMs. Sometimes devices are used longer than advised and sold to smaller HDOs without proper risk management.
- Lack of Role Clarity: There's a lack of clarity regarding roles throughout a product's lifecycle.
- Limited Understanding: There's insufficient understanding of device design, security, and the environments they operate in.
- Assistance for Under-Resourced HDOs: Frameworks offer recommendations, but under-resourced HDOs, especially in rural areas, struggle to implement them. Identifying resources to aid them is crucial, and MDMs should consider adopting standardized processes.
Next, the paper provides eight (8) recommendations to move toward managing cybersecurity risks in legacy medical devices.
The recommendations may be summarized as follows:
|I. Shared Responsibility Over the Medical Device Lifecycle
|Pilot data collection to support decision making for legacy device risk management
|Develop information sharing agreement templates to increase transparency
|Establish security architecture working group
|Develop research program in modular design for medical devices
|II. Vulnerability Management
|Conduct study on vulnerability management coordination
|III. Workforce Development
|Development of competency models for roles related to legacy cyber risk
|Identify resources for workforce development
|IV. Mutual Aid
|Participation in mutual aid partnerships
Before the above recommendations can be executed, the paper describes the need for the establishment of governance for both Medical Device Manufacturers (MDMs) and Health Delivery Organizations (HDOs). Governance essentially means that each organization type establishes rules and strategies that describe cybersecurity-related policies, practices, procedures, education, training, and roles and responsibilities identifying how organizations identify, protect, detect, respond, and recover from cyber incidents. .
I.1 Recommendation 1 – Pilot data collection to support decision-making for legacy device risk management:
- Execute pilot to collect a snapshot of data to be used by the individual participants.
- Aggregated results could then be used by non-participants to provide some measurable baseline that they can use in their decision-making, as well as informing future work.
- Pilot should develop processes, data standards, etc, that can be reused by HDOs and MDMs in ongoing collection and analysis activities.
- The Pilot should be managed to collect data focused on the following:
- Devices & Lifecycle
- Managing Vulnerabilities
- Costs & Impact
- Simplify Data Collection
- Source Identification: Find where relevant data exists.
- Standardize Data: Create uniform standards for easy comparison.
- Representative Sample: Include a diverse sample of HDOs and MDMs.
- Tool Development: Make tools to handle data efficiently.
I.2 Recommendation 2 – Develop information-sharing agreement templates to increase transparency
While Information Sharing Agreements (ISAs) are commonly used and initiated by HDOs, they tend to be part of other agreements across all medical devices regardless of expected use or product status. The paper recommends templates to be created to streamline the process and ensure appropriate expectations are included for managing legacy medical device cybersecurity risks.
I.3 Recommendation 3 – Establish security architecture working group
Due to concerns about potential loss of intellectual property, as well as exposing sensitive information to third parties and malicious actors, there is a knowledge gap between MDMs and HDOs regarding medical device security architectures as well as HDO network and security environments. To bridge this gap, the paper proposes forming a working group with representatives from all involved parties. This group should aim to:
- Identify and prioritize security measures for devices and HDO networks to enhance cyber risk management.
- Define generic functional and network components in a high-level architecture.
- Create a standardized way to describe controls, components, and data flows.
- Develop sample architectural descriptions. These can be adapted by MDMs and HDOs for two main purposes: sharing security info during procurement and collaborating on new product designs.”
I.4 Recommendation 4 – Develop a research program in modular design for medical devices
A government-funded research program is suggested to explore modular design techniques for medical devices along with an efficient manner of verifying and validating upgrading those modules. The goal of this research is to help foster the ability of HDOs to upgrade components as opposed to total replacement.
II.1 Recommendation 5 – Conduct a study on vulnerability management coordination.
The paper describes the complexities involved in vulnerability management today including varied notification sources of communication of vulnerabilities, complexity in HDO determination of devices impacted by vulnerability, determining means for deploying patches, and compensating actions HDOs must take when a vulnerability is disclosed without an available patch. As a result, the paper recommends a study to explore a means for streamlining and improving the current resource-intensive process.
One large area in need of improvement described is that of developing workforce skills in roles surrounding legacy cybersecurity risk management. Recommendations 6 and 7 are given for workforce development to support improvement in the skills of this workforce.
III.1 Recommendation 6 – Develop competency models for roles related to legacy cyber risk
The paper provides a sample competency model appropriate for HDOs and describes key areas to consider for inclusion in such a model. The competency model recommendations included the following areas: cybersecurity skills, critical roles, support and resources, and timing/prioritization.
III.2 Recommendation 7 – Identify resources for workforce development
This recommendation identifies the importance of finding resources for training, especially for under-sourced HDOs who may struggle in this area. Two example sources are given including: CISA cybersecurity Workforce Training Guide and Cyber Career Pathway Tool and The Federal Virtual Training Environment, a free cybersecurity course program on network security, managing cyber risks, and defending against cyber incidents to the public.”
IV.1 Recommendation 8 – Participation in mutual aid partnerships
The paper’s final recommendation is given to support less-resourced and safety-net rural hospitals. The paper presents different models for mutual aid including ad-hoc relationships, private sector partnerships, and state/local government partnerships.
In summary, the paper outlined the next steps to improve cybersecurity risks associated with legacy medical devices including:
- Understand Risks: Collect data to make informed decisions and create tools for transparency.
- Simplify Vulnerability Management: Find easier ways to handle security updates.
- Skilled Workforce: Develop a competent team to manage device risks.
- Support for Smaller Providers: Help less-resourced organizations manage older devices.
Need guidance on how to begin the next steps to improve legacy medical device cybersecurity risk recommendations outlined in this MITRE White Paper or any other applicable risk management strategies? Contact MEDIcept for help at email@example.com.
 The MITRE Corporation, “Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks,” November 2022. [Online]. Available: https://www.mitre.org/sites/default/files/2023-11/PR-23-3695-Managing-Legacy-Medical-Device Cybersecurity-Risks.pdf.
 IMDRF, “Principles and Practices of Cybersecurity for Legacy Medical Devices (IMDRF/Cyber WG/N70Final:2023),” 11 April 2023. [Online]. Available: https://www.imdrf.org/documents/principles-and-practices-cybersecurity-legacy- medical-devices.
 IMDRF, “Principles and Practices for Medical Device Cybersecurity (IMDRF/Cyber WG/N60Final:2020),” 18 March 2020. [Online]. Available: https://www.imdrf.org/documents/principles-and-practices-medical-device- cybersecurity.
 HSCC Cybersecurity Working Group, “Health Industry Cybersecurity: Managing Legacy Technology Security (HIC-MaLTS),” March 2023. [Online]. Available: https://healthsectorcouncil.org/wp-content/uploads/2023/03/Health-Industry- Cybersecurity-Managing-Legacy-Technology-Security-HIC-MaLTS.pdf.
Marion Cappadona – Senior Consultant. Software and Systems