On March 2nd, 2023, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) published a guidance, “Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS). The same day the White House published its “National Cybersecurity Strategy”; which outlines a ”Five Pillar Approach” to protect critical infrastructure within the United States from emerging cyber threats. The guidance emphasizes cyber threats to the healthcare sector are a significant problem, with ransomware attacks, vulnerabilities in digital infrastructure, and risks from an increasingly complex healthcare ecosystem. The healthcare sector is adopting digital wellness and fitness technologies, as well as remote care models, which further increase cybersecurity risks. Legacy technologies present a particular challenge as they cannot be reasonably protected against current cyber threats, and many may contain insufficient or no security controls. Legacy technologies have been identified as root causes of security incidents, and addressing these issues is essential for improving the cybersecurity capabilities and resilience of the healthcare sector. The Healthcare Sector Coordinating Council has proposed recommendations to address these legacy technology challenges, which were developed by 67 industry and government member organizations.
Legacy technologies present a particular challenge as IMDRF defines them as a device that cannot be reasonably protected against current cyber threats, and many may contain insufficient or no security controls.” The guidance outlines four “core” practices essential for legacy technology cybersecurity programs: Governance, communication, risk management, and future-proofing.
- Governance
Governance is concerned with cybersecurity-related policies, practices, procedures, education, training, and roles and responsibilities. The article discusses the responsibility of medical device manufacturers (MDMs) to identify and manage cybersecurity risks and hazards throughout the total product lifecycle of their devices. It suggests that all MDMs, regardless of size, should have a governance structure in place to ensure they can identify and manage legacy cybersecurity issues. This requires documented policies and procedures; some organizations may establish a management team composed of cross-functional stakeholders. The article identifies various stakeholders, including senior leadership, engineers, product security and safety professionals, QA and regulatory professionals, IT professionals, and external partners. Stakeholders should be involved in the governance body to ensure any decision considers the impacts on patient safety, product efficacy, and the organization's IT infrastructure.
- Communication
Effective communication is essential for managing cybersecurity risk. Policies and procedures for ongoing communication between stakeholders should be established upfront and supported throughout the technology lifecycle. The article emphasizes the importance of effective communication in managing cybersecurity risks in legacy technology, particularly in the healthcare industry. It highlights the need to establish policies and procedures for ongoing communication between stakeholders, identifying key considerations such as who should communicate, what to communicate, when to communicate, and to whom to communicate. The guidance recommends ISO/IEC 29147:2018 and ISO/IEC 30111:2019 as useful resources for communication policies and procedures.
Additionally, the article discusses several communication considerations, including protected health information (PHI) protections, coordinated vulnerability disclosure programs, and technology lifecycle information. It is recommended that both healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) understand their roles and responsibilities for managing and securing sensitive data, including the removal of PHI, passwords, storage media, and remote access.
Coordinated Vulnerability Disclosure (CVD) programs are a recommended tool for managing vulnerabilities in legacy medical technologies . Coordinated Vulnerability Disclosure Programs allow third parties to disclose vulnerabilities in hardware, software, and services directly to the vendors. It is recommended that organizations establish and maintain CVD programs to manage cybersecurity and legacy technology communication effectively.
Device manufacturers and other relevant parties need to collaborate to ensure accurate and up-to-date information is communicated to the most relevant recipients about the expected lifecycle of medical technologies. They should establish processes for updating customer contact information and medical device or technology inventory status at least annually. Lastly, technical documentation provided to customers should include information pertaining to end of guaranteed service (EOGS), end of service (EOS), and end of life (EOL) dates.
- Risk Management
It is critical that medical device manufacturers (MDMs) implement security, safety, and risk management processes, including specific considerations for legacy devices. The risk management process for legacy devices should include various stages such as risk management planning, establishment of risk acceptability criteria, risk assessment, application of risk controls, evaluation of overall residual risk, risk acceptability, risk management reporting, and production and post-production activities.
MDMs are advised to consider various resources, such as AAMI TIR57, AAMI TIR97, IEC 81001 security, NEMA/MITA CSP 2 Devices 2021, and Best Practices Framework for Medical Imaging Security, to support the development of a legacy device risk management program. The process should involve a comprehensive and holistic risk assessment to avoid patient safety risks or major disruptions to clinical or data workflows. It is also important to note that security risk controls may have an impact on patient safety risks, and safety risk controls may have an impact on security risks.
MDMs must play a role in ensuring that information needed by healthcare delivery organizations (HDOs) to perform contextual reassessments appropriately is available. It is foreseeable that the initial MDM risk assessment and risk controls associated with legacy devices may need additional reassessment within HDO environments due to contextual variations, such as different risk criteria or risk tolerance. MDMs should send communications to HDOs warning of approaching device EOL/EOGS/EOS dates, provide relevant security documentation, and recommend steps that HDOs should take to prepare devices for EOL/EOGS/EOS, including contact changes or license transfer.
- Future Proofing
The article discusses the challenges of managing legacy technologies in the healthcare sector, including current legacy technologies and future legacy technologies that will one day be outdated. It emphasizes the need to improve the design, deployment, and maintenance of technologies to address these challenges. The article provides recommendations for addressing known legacy issues during threat modeling, including considerations of new and emerging cyber threats, unsupported components, unauthorized access, network “noise,” data confidentiality, system-level and system-of-system risks, physical security, all-hazards risk management, and indirect cybersecurity risks. It highlights the importance of ensuring patient safety and appropriate safeguards, including thorough encryption and access control mechanisms.
After analyzing the cybersecurity risks faced by the healthcare sector, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has proposed recommendations to address the challenges posed by legacy technologies. Legacy technologies have been identified as a root cause of security incidents in the healthcare industry, and their lack of security controls makes them particularly vulnerable to cyber threats. With the publication of the HSCC's “Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS)” guidance and the White House's “National Cybersecurity Strategy,” the healthcare sector can now take critical steps towards protecting itself against emerging cyber threats and safeguarding critical infrastructure within the United States.
References:
https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf