Secure Your Legacy Devices—Or Else!


By: Martha Vockley

June 8, 2021

Categories: AAMI News, HTM Professionals, Medical Device Manufacturers

Ransomware - Hero
If you’re not working proactively to protect legacy devices, you’re leaving your healthcare system vulnerable to cyberattacks.

“No one is immune,” said Samantha Jacques, vice president of engineering at McLaren Health, in a Tuesday session at AAMI eXchange REWIRED. “If you haven’t heard of or been affected by an attack, just wait—your time is coming.”

Most healthcare technology management (HTM) professionals consider legacy devices to be those that manufacturers no longer support with upgrades or software patches, or those for which parts are no longer available. But the International Medical Device Regulators Forum has a narrower definition: A legacy medical device is one that cannot be reasonably protected against current cybersecurity threats.

There are two options for dealing with legacy devices, Jacques said:

  1. Keep them running, unsupported. This can be a benefit if the devices still perform and function as designed. But it can be problematic because of cybersecurity risks, difficulty obtaining parts, and, for older devices, finding someone who is trained to repair them.

  2. Replace them with new technology. The upside of new technology is that it typically comes with a newer operating system and support from the original equipment manufacturer (OEM). But most hospital systems don’t have unlimited capital to replace all legacy devices.

This is where HTM departments must play a proactive role. Clinical users and owners, such as cardiology or radiology departments, and even IT teams do not know as much about devices and risks as HTM professionals do. “They don’t know the cycle for OEMs to patch their devices, or whether a new software version has been approved by the FDA,” Jacques said. “We take responsibility for that.”

Because healthcare systems cannot replace all legacy devices, HTM professionals should collaborate with cybersecurity, IT, and finance teams, as well as organizational leaders, on replacement decisions, Jacques said. For legacy systems that are not replaced, HTM professionals should support solutions to mitigate or remediate cybersecurity threats and vulnerabilities, such as network configurations that provide more protection.

Cybersecurity attacks have caused real harm—a patient death in Germany last year, a clinic closure in Michigan after it chose not to pay ransomware in 2019, and lost revenue due to forced shutdowns of entire hospital systems. Mike Powers, clinical engineering director at Intermountain Healthcare, shared these statistics about cybersecurity in healthcare in 2020:

  • 239.4 million cyberattack attempts

  • An average of 816 attempted cyberattacks per healthcare endpoint

  • A 9,851% increase from 2019

  • 560 healthcare organizations impacted

  • ~1 million healthcare records breached every month

  • One breached service provider is estimated to be responsible for ~10 million breached records

  • COVID-19-themed cyberattacks began with the pandemic, which resulted in new ways of delivering care, and attempted cyberattacks increased throughout the year

“The opportunities for healthcare organizations to be an attack vector for a bad actor have increased tremendously,” Powers said. “These attacks took the form of brute force efforts, and social engineering attacks.”

Jacques and Powers serve on the Healthcare and Public Health Sector Coordinating Council (HSCC), a critical industry advisory council led by private-sector large, medium, and small health industry stakeholders working with government partners to identify and mitigate threats and vulnerabilities affecting the ability of the sector to deliver healthcare services. A major component of HSCC is a Cybersecurity Working Group, which represents 300 healthcare organizations in the subsectors of direct patient care, medical materials, health IT, health plans and payers, laboratories, biologics and pharmaceuticals, and public health.

An HSCC Med-Tech Legacy Devices Task Group is developing business solutions, best practices, incentives, and policies for end-of-life product life management and replacement of legacy devices, as well as working through how to prevent future technology from becoming legacy.