FDA-MITRE white paper prescribes next steps in managing legacy medical device cybersecurity risks

The U.S. Food and Drug Administration (FDA) has partnered with non-profit organization MITRE to create a white paper addressing the challenges posed by legacy medical devices in the healthcare sector. These devices continue to function but may be susceptible to cybersecurity risks. The FDA-MITRE document expands on previous work and offers near-term solutions, guiding how to implement key recommendations. It also takes into account the specific needs of less-resourced healthcare delivery organizations (HDOs), including rural providers and safety-net hospitals.

The FDA-MITRE white paper presents findings from the interviews and working group discussions that include a discussion of previous work on legacy medical devices, challenges in operationalizing those efforts, and several recommendations to address those challenges, including shared responsibility over the medical device lifecycle, vulnerability management, workforce development, and mutual aid. MITRE initially interviewed a representative group of stakeholders, including those from HDOs, medical device manufacturers (MDMs), and healthcare cybersecurity experts, to develop an initial landscape analysis to define the scope and parameters for the white paper. 

Based on the stakeholder interviews and the working group discussions, MITRE identified challenges in adopting the processes described in the previous work on managing the risk of legacy medical devices. It recommended various studies and pilots to drive adoption. Additionally, the creation of templates, standardized information, and processes are suggested to assist less-resourced HDOs. 

Medical devices are acquired and implemented in the context of these complex organizations and their strategic processes, financial resources, and organizational governance. As medical devices are substantial investments for HDOs, devices are procured on set timeframes to maximize the value and life of the device. Consequently, medical devices are frequently utilized beyond their ability to keep up with evolving cyber threats. 

For under-resourced HDOs, there may be a choice between not offering a medical device or service to patients or using a potentially insecure legacy device that can provide that service to patients. Additionally, beyond consideration of financial resources, the replacement of legacy devices occurs in the context of organizational and people-focused factors. The white paper identified that the current environment has led to an abundance of outdated medical devices that still fulfill their main purpose but may be susceptible to cyber risks. 

The Task Force report highlighted several specific risks associated with networked medical devices and interconnected IT networks. These risks include the failure to promptly provide security software updates and patches to medical devices, neglecting to address legacy devices, malware that manipulates data on diagnostic and treatment devices, firmware/software updates that modify device functions, denial of service attacks that render a device inaccessible, and the unauthorized exfiltration of personal identification and/or health information.

The Task Force had several recommendations for protecting medical devices, including securing legacy medical devices by implementing regular software updates, establishing firewalls, and ensuring compatibility with modern security protocols, among other controls. It also called for improving manufacturing and developing transparency among developers and users, improving the turnaround time for security updates and patches, and increasing adoption and rigor of the secure development lifecycle in the development of medical devices. It also called for requiring strong authentication to improve identity and access to medical devices and employing strategic and architectural approaches to reduce attack surfaces.

The Task Force, Healthcare Sector Coordinating Council (HSCC), and International Medical Device Regulators Forum (IMDRF) working groups have worked to identify the challenges posed by legacy medical devices and provide recommendations, frameworks, and processes to address them. 

Nonetheless, the FDA-MITRE white paper identified some challenges and gaps that remain in implementing those recommendations. Firstly, the data is needed to inform decisions that will be made by individual HDOs and MDMs as they implement the risk management frameworks, as well as to potentially inform future policies and regulations. 

Secondly, managing the cyber risk of legacy medical devices is dependent upon clearly defining medical device lifetimes and lifecycle phases, permitting the development of shared responsibility models between HDOs and MDMs, where specific roles and responsibilities may change as devices move through the different lifecycle phases. This collaborative effort requires transparency, clear expectations, and a better understanding of the design process, the security posture of the devices, and the clinical and operational environment in which they operate. 

Thirdly, frameworks, such as the HIC-MaLTS responsibility transfer framework, offer recommendations, however, HDOs, particularly those in less-resourced rural and safety-net facilities may struggle to implement them on their own. Therefore, it is essential to identify resources to assist them and MDMs are encouraged to adopt standardized processes.

Some recommendations presented in the FDA-MITRE white paper call for collecting and analyzing data, while others call for improving information sharing and transparency. To ensure that these recommendations are carried out with the involvement of all relevant stakeholders and that the data collected is reliable, valid, and useful, stakeholders are advised to follow governance and data collection principles.

The white paper also focused on the shared responsibility of managing legacy medical devices, improving vulnerability management of legacy medical devices through information sharing, developing a skilled workforce, and establishing mutual aid relationships to help less-resourced HDOs. 

The recommendations suggest collecting data to understand the misalignment between HDO and MDM notions of the useful life of devices, increasing transparency between HDOs and MDMs to ensure security expectations are shared, and developing generic or standardized security architectures to share responsibilities for managing risk and moving toward more modular and resilient design. 

The FDA-MITRE white paper proposes pilot data collection to support decision-making for legacy device risk management, develop information-sharing agreement templates to increase transparency, establish a security architecture working group, and develop a research program in modular design for medical devices. It also suggests developing a research program in modular design for medical devices, developing competency models for roles related to legacy cyber risk management, identifying resources for workforce development, and recommending participation in mutual aid partnerships. 

In conclusion, the FDA-MITRE white paper identified several approaches to address legacy challenges based on previous work. Managing the risk of legacy medical devices is a shared responsibility over the lifecycle of a medical device. It will be important to collect data to understand the magnitude of the problem and the economics from both the MDM and HDO perspectives, which will enable informed decision-making by HDOs and MDMs and develop new policies and incentives. In addition, it will be important to develop tools for increasing transparency, both to convey security expectations and to share technical information to support managing legacy medical device cybersecurity risks.

Secondly, the white paper laid down that vulnerability management is complex, and it will be important to investigate approaches to streamline the coordination of vulnerability notification and patching/mitigations. Thirdly, managing legacy medical device cybersecurity risks requires a skilled workforce defined with a competency model. Finally, it will be important for less-resourced HDOs to manage legacy medical devices, and regional mutual aid approaches may be able to help. By addressing legacy medical device risks, medical device cybersecurity can be improved, and patient safety safeguarded from growing cyber risks.     

Last November, MITRE released a playbook providing practical considerations to address medical device cybersecurity incidents, revised this year. Featuring tools, techniques, and resources, the playbook outlines a framework for healthcare delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure the effectiveness of devices, and protect patient safety.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.