How legacy medical devices can pose major cybersecurity risks

Many medical devices are in use for a decade or longer, and so healthcare organizations may be relying on equipment that no longer receives security patches and updates, according to TechTarget’s Health IT Security. As a result, many hospitals and practices may be unable to create reports or dashboard analytics without the distinct possibility of exposing identifiable information, that would be classified as protected healthcare information (PHI). This unfortunate outcome could result in HIPAA violations. 

There are cybersecurity risks involved with the use of legacy medical devices in healthcare organizations of all sizes, and late last year the Food and Drug Administration (FDA) chimed in with recommendations on how to mitigate those threats. It’s not as straightforward as it could be, as MedTechDive reports: “Old medical devices pose significant risks if they cannot be reasonably protected against current cybersecurity threats. However, the devices were put on the market legally, and removing them from use has implications for patient safety, clinical operations and healthcare provider finances.”

The report the FDA published identified the root cause of this issue: “Medical devices are acquired and implemented in the context of these complex organizations and their strategic processes, financial resources, and organizational governance. As medical devices are substantial investments for HDOs (Health Delivery Organizations), devices are procured on set timeframes to maximize the value and life of a device. Consequently, medical devices are frequently utilized beyond their ability to keep up with evolving cyber threats.”

Steps to mitigate risks posed by aging equipment

The FDA report referred to above, prepared by the MITRE Corporation, offers recommendations for healthcare organizations (HCOs) to defend against the exploitation of their aging devices, “Legacy devices, by definition, cannot be reasonably protected against current cybersecurity threats. Thus, it is important to develop approaches to vulnerability risk management that reduce the risks posed by legacy devices to acceptable levels.” That agency suggests these steps to mitigate cybersecurity risks of aging equipment:

• Securing legacy medical devices by implementing regular software updates, establishing firewalls, and ensuring compatibility with modern security protocols, among other controls.
• Improving the turnaround time for security updates and patches. 
• Increasing adoption and rigor of the secure development lifecycle in the development of medical devices. 
• Requiring strong authentication to improve identity and access to medical devices.
• Employing strategic and architectural approaches to reduce attack surfaces.

Solutions and services are available today that will address all of these FDA recommendations. There are networks with strong firewalls, which strengthen healthcare security postures with timely automated updates that keep pace with changing networking requirements and emerging security risks. Healthcare organizations are implementing Zero Trust Network Access (ZTNA), requiring permission for network access to be validated. Strategic and architectural approaches can be adopted by consulting and planning with healthcare technology experts; for more than 10 years, Spectrum Enterprise has partnered with 115,000+ healthcare organizations to provide technology and communication solutions.

The networks exist to help mitigate the security risks inherent in legacy medical devices. Let’s take a closer look at just what sort of equipment presents the most cybersecurity risks.

Data use and transfer is at the heart of the issue

The devices in question run the gamut from infusion pumps to ensure the safe delivery of medications to implantable medical devices. The FBI called out specific devices that were causes for concern, highlighting vulnerabilities in insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps. The ability to use data from such devices is supported by vulnerable IT systems, which include multiple electronic health record solutions. Many of these systems require data transfer between devices from different manufacturers. Further, the proliferation of healthcare technology has enabled a growing shift from inpatient care to hospital-at-home or outpatient facilities.

A key element in protecting these legacy devices from the risks posed by cybercriminals is the matter in which sensitive data is stored, transported and shared. Keeping up with evolving security requirements, upcoming trends and new technologies isn’t easy for healthcare IT departments. However, there is a way to simplify and enhance the management of your IT services with Spectrum Enterprise.

Spectrum Enterprise managed services include network design, equipment, installation and 24/7/365 monitoring and support. Our easy-to-use service portal provides insight into network activities and prepares healthcare IT decision-makers to make better informed decisions about future IT investments.

Healthcare organizations can feel some confidence in the security of future medical device purchases. According to the American Hospital Association, the FDA recognized a consensus standard in November 2023, to help medical device makers address cybersecurity concerns. The guidance is the SW96:2023 standard for medical device security and security risk management.

How Spectrum Enterprise can help

With a scalable, flexible and reliable IT infrastructure, HCOs can leverage the full potential of their current digital tools and technology, foster further innovation, protect PHI  and meet future consumer demands. A strong infrastructure partner that truly understands the healthcare industry can support HCOs in these efforts.

Hospitals and practices of all sizes can modernize their networks now, and rely on fast, symmetrical fiber-powered internet connectivity up to 100 Gbps to power their digital health transformation efforts when they choose flexible, scalable solutions from trusted partners. 

Clinicians and smaller healthcare clinics face the same security challenges that large HCOs do but may not have the resources or IT staff necessary to secure their data. These smaller organizations can access connectivity and firewall solutions that enable fast, secure access to patient data and seamless communications. With the Managed Practice Package,  organizations of any size can secure a single- or multi‑site network with a scalable all‑in‑one healthcare-managed service that includes the equipment, connectivity, management and support they need.

Spectrum Enterprise provides technology solutions to 80% of the largest health systems in the US, and partners with healthcare organizations of all sizes. Learn more about HITRUST and HIPAA-compatible solutions that can secure a single or multi-site network with the equipment, connectivity, management, communications and support needed to spur digital healthcare transformation.