With the Food and Drug Administration’s (FDA’s) 2023 requirements for medical device cybersecurity and the PATCH Act, regulators focused on reducing risk. However, the Patch Act only applies to new medical devices manufactured after March 2023. As a result, legacy systems have few checks around vulnerabilities.
Manufacturers tend to focus on the development and launch of products. Sometimes, that means sunsetting ones on the market or no longer updating them as often. Yet, my providers and patients are still using these devices every day.
Let’s look at the PATCH Act and the continued concern over legacy medical devices.
What Is the PATCH Act?
The PATCH Act refers to the Protecting and Transforming Cyber Healthcare Act. Its requirements include:
- Pre-market submissions that demonstrate the company’s commitment to cybersecurity and safety, including a software bill of materials (SBOM)
- Vulnerability prevention concerning exploitation by cybercriminals
- Development and implementation of security patching to address any cybersecurity issues
The law follows the guidance of the FDA.
Why Doesn’t the Patch Act Cover Legacy Devices?
The law leaves out the designation of legacy devices to adhere to the new rules. Most regulations don’t backdate to previous products, even in cybersecurity.
There may have been little awareness that medical devices can remain functional for 10 to 30 years. They aren’t necessarily something you update as often as consumer electronics like smartphones.
Problems with managing legacy devices and holding them to the same standard have challenges. Most healthcare organizations don’t track devices at a national or regional level. It would be difficult to understand the scale of legacy devices, as the industry doesn’t even know how many are in use.
What Are the Biggest Threats of Legacy Medical Devices?
In 2022, before the PATCH Act, the FBI issued an alert that 53% of networked medical devices and the Internet of Things (IoT) have at least one vulnerability.
There are several high risks associated with these products, including:
- Backdoors can be present and operating without anyone’s knowledge. This actually happened with patient monitors from Contec.
- A lapse in updates and patches is common. There’s also no SBOM for most legacy systems, so there’s no source of truth identifying the code in use. Patching may also no longer be available from manufacturers.
- There’s often a lack of modern security features in these older models.
- Hard-coded passwords are another common legacy characteristic.
- Legacy systems still rely on default settings for network configurations, which are easily exploitable.
What Other Factors Impact Legacy Management?
The laws and rules don’t apply to this older equipment, but agencies, manufacturers, the healthcare industry, and other stakeholders continue to try to address issues. However, the body regulating medical devices has taken severe hits to their staffing numbers.
Those cuts mostly impact new devices coming to market, but they could also impede overall oversight. When there’s any lapse, cybercriminals will take note. In fact, there’s been discussion by some experts that the FDA would have trouble managing concurrent cyber attacks.
What Can the Industry Do to Reduce Legacy Device Risk?
The industry could use the PATCH Act and FDA guidance for legacy devices. One of the best things to do is to have an SBOM to define all software in use, as that’s where attacks would likely target.
Manufacturers can also work with healthcare organizations to develop stronger controls and smoother patching of these devices. If they are sunset, the manufacturer should advise of this and provide alternatives for further use.
In the end, all parties should move cohesively to ensure the PATCH Act protects new devices while also addressing legacy systems.
Have questions about legacy device cybersecurity? We can help. Contact our experts today.