How can you guarantee the cybersecurity of outdated equipment?
November 2021 – Repertoire Magazine
Editor’s note: Last month Repertoire shared some experts’ perspectives on selling the cybersecurity-related merits of new equipment and devices. This month, we look at a nagging problem – ensuring the cybersecurity of “legacy” devices and equipment, that is, devices that keep on working beyond the point when their operating systems and software can be updated or patched.
How long will distributors and manufacturers be on the hook for ensuring the safety – from a cybersecurity perspective – of the equipment they sell? One year? Five? Ten?
In a letter written in May 2018 to the U.S. House of Representatives Energy and Commerce Committee, the American Hospital Association took a strong stance: “The FDA must make clear that security measures to protect legacy devices are required, not optional. Unfortunately, the health care sector, including the device sector, continues to be confused as to whether FDA guidance on post-market cybersecurity is binding.”
In the letter, former AHA Executive Vice President Thomas Nickels wrote, “It would be useful for manufacturers to provide guidance to end-users at the time of purchase about the expected supported lifetime. This would allow for better planning and risk management activities.
Chad Waters, senior cybersecurity engineer, Device Evaluation Group at ECRI, told Repertoire in an email, “Going forward, the strategy should focus on producing devices that don’t become ‘legacy’ before their useful lifespan. It’s also reasonable that a device [be] easily patchable. These devices should have security support throughout their expected lifespan. In some cases, this includes one or more upgrades of the operating system platform. Manufacturers should be transparent with the lifecycle plans of their devices.”
Even the AHA’s Nickels doesn’t believe it will be easy.
“There is a significant contrast between the ease and efficiency of updating network and PC software for security, and updating software embedded in medical devices,” he wrote. “Software companies have generally prioritized creating a systematic approach for sharing timely updates and providing guidance on how to complete them. Similar approaches have yet to be deployed by medical device manufacturers.”
At some point, healthcare providers must decide, Will they disconnect their equipment from the Internet of Things, or will they simply replace it?
A 2019 analysis by cybersecurity firm Forescout Research Labs put it this way: “Networks will most likely continue to have medical devices running legacy operating systems, since updates are costly. The downtime associated with an operating system update might not be acceptable for critical-care systems. In addition, certain legacy applications simply will not work on more recent versions of Windows due to lack of support, compatibility, or license schema issues.
“The business need to run legacy operating systems on medical devices isn’t going away any time soon, so these devices must be segmented appropriately to protect access to critical information and services.”
CME Corporation CIO Peter Wyner told Repertoire, “Legacy equipment is definitely a challenge, especially once it has reached an end-of-support status. When connected equipment is no longer being supported and patched by the manufacturer, we typically work with customers to provide options for replacement or recommend deactivating the connected functionality of the equipment when feasible.”