Analysis
Attacks and Vulnerabilities
Critical infrastructure
Medical
News

US HSCC releases HIC-MaLTS guide to help healthcare sector manage cyber risks caused by legacy technologies

March 06, 2023
US HSCC releases HIC-MaLTS guide to help healthcare sector manage cyber risks caused by legacy technologies

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) published last week Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS) guide that addresses the management of cyber risk caused by legacy technologies used in healthcare environments. The HIC-MaLTS guide takes into account gaps and deficiencies in investment in comprehensive systems security architecture approaches, engineering best practices, and processes, and uses case-appropriate security technologies.

The HSCC task group that developed this resource consisted of 65 organizational members co-led by Intermountain Healthcare, Elekta, and Food and Drug Administration (FDA). The work process involved three years of engagement, negotiation, and drafting among health delivery and medtech companies, demonstrating a collaborative commitment to the principle of shared responsibility. The result leads to compromise, consensus, and actionable practices that will increase security, lower costs, and protect patient safety. 

With best practices and recommendations in modular and actionable format for medical device manufacturers (MDMs), healthcare delivery organizations (HDOs), and other technology providers whose products are used in healthcare environments, the HIC-MaLTS guide works to identify the respective and shared responsibilities required of healthcare stakeholders in the security management of legacy medical devices and technologies. The variation in resources among MDMs, HDOs, and other healthcare stakeholders requires that effective solutions be scalable across many types and sizes of organizations, particularly smaller providers with limited resources and expertise. 

The 115-page guide also covers the use of off-the-shelf (OTS) components and software within medical technologies may result in inconsistent support lifecycles among device hardware and software components of the device. It also included wide variation among organizations in terms of size, capabilities, cybersecurity maturity, and resources contributing to a lack of process maturity within the sector. Additionally, it looked into the inconsistency among organizations in providing visibility, communication, and resolution of potential technology vulnerabilities.

The HIC-MaLTS document recommends cybersecurity strategies that manufacturers and health providers can implement for legacy medical technology as a shared responsibility in the clinical environment, and provides insights for designing future devices that are more secure. The guide addresses that emphasis through a rigorously-negotiated program of cybersecurity management and accountability between health delivery organizations and medical technology companies involving legacy medical systems in the clinical environment.

The guide covers the ‘Core Pillars’ of a comprehensive legacy technology cyber risk management program. These include governance, communications, cyber risk management, and future-proofing. When it comes to governance, the HIC-MaLTS guide covers how healthcare stakeholders should govern to ensure effective legacy technology cyber risk management. On communications, internally, to their customers, regulators, and the public, it looks into how organizations should communicate to manage legacy technology risk.

Moving over to cyber risk management, the HIC-MaLTS guide said that for current and future legacy technologies, it addresses how organizations should manage cyber risk to limit current risk and avoid or minimize future risk. Lastly, when it comes to future-proofing, the document covered how MDMs and other technology providers should design, deploy, and maintain their technologies to avoid or lessen legacy technology risks. 

The guide also analyzes the common legacy risk management challenges and recommendations for addressing them. These include connectivity, end-of-life/service, third-party servicers, inventory/asset management, SBOM, patching, and third-party components. 

The guide said that for financial, logistical, and operational reasons, HDOs may consider continuing to use legacy technologies even after support is discontinued. Recognizing this reality, it is important for HDOs to have access to information and best practices regarding managing legacy technology risk as safely and effectively as possible in situations where they intend to continue using legacy technologies. 

The guide offers a ‘Responsibility Transfer Framework,’ which details important factors HDOs should assess to make an informed decision about the potential risks of doing so. The framework examines factors related to safety and effectiveness, clinical impacts, and technical risk management. 

Although software patching is a key practice in protecting technologies, patch management at HDOs is challenged by a diversity of equipment, lag time to patch availability, the accessibility and utility of patch information, ownership of patch installation, and the fact that patching needs to be coordinated with care delivery to minimize patient impacts, creating complicated logistics.

Patching remains a major cyber risk management activity but is also a major challenge. The guide offers a ‘Patching Lifecycle Recommendations’ section that breaks down the patching lifecycle from first identifying an issue that may need patching (signal identification), to patch development, to patch installation and testing. It also includes recommendations tailored to each lifecycle stage. 

The HIC-MaLTS guide also looks into designing technologies to avoid and minimize future legacy pressures is as important as managing current legacy technologies. The ‘Future Proofing’ section details recommendations for designing, deploying, and maintaining technologies to extend the product lifecycle and mitigate future legacy issues. It also covers threat modeling practices, technology design including software and vendor selection, and facilitating secure technology deployment. 

The HSCC also said that all 17 of the HSCC Cybersecurity Working Group publications of leading practices and recommendations are available online as a free public service. Additional forthcoming publications over the next quarter include joint publication with HHS on health sector implementation of the NIST Cybersecurity Framework, Medical Device Joint Security Plan, v2 updating product security strategies for designing and building security into medical technology, Healthcare Enterprise Incident Response Plan, and ‘Cybersecurity for the Clinician’ video training series for practicing clinicians and students in the medical profession.

The release of the HIC-MaLTS guide coincides with the White House releasing its ‘National Cybersecurity Strategy,’ which envisions an increased emphasis on protecting the nation’s critical infrastructures from cyber threats and incidents. The document serves as a foundation for making a path to resilience in cyberspace more inherently defensible, resilient, and aligned with the country’s values. It also imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure, with an enhanced government role in upsetting hackers and state-sponsored entities.

Also, the U.S. Environmental Protection Agency (EPA) issued a memorandum that calls upon states to evaluate the cybersecurity of operational technology (OT) used by a PWS when conducting PWS sanitary surveys or through other state programs. The memorandum explains various approaches to include cybersecurity in PWS sanitary surveys or other state programs. Additionally, the EPA is also providing extensive guidance, training, and technical assistance to help states and PWSs increase resilience to cybersecurity incidents.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market