Blue Goat Cyber
Contact Us

Navigating Cybersecurity Challenges for MedTech Legacy Devices

As the medical device industry continues to evolve, manufacturers face the daunting task of ensuring the cybersecurity of their legacy products. These older devices, often cleared and approved under previous regulatory guidelines, present unique challenges in meeting modern security standards. In this in-depth blog post, we’ll explore the FDA’s latest guidance on managing legacy medical technology (MedTech) devices, the practical steps manufacturers can take to mitigate risks, and the importance of a proactive, holistic approach to cybersecurity throughout a product’s entire lifecycle.

The Legacy Device Dilemma

Legacy medical devices, defined as those cleared and approved before September 2023, pose a significant challenge for manufacturers. These older products were often designed and approved without the robust cybersecurity controls and safeguards that are now expected in the industry. As technology advances and new threats emerge, the security vulnerabilities of legacy devices become increasingly concerning, posing potential risks to patient safety and data privacy.

One of the primary issues with legacy devices is that they may not be capable of supporting the latest encryption standards or other modern security measures. As Christian Espinosa, CEO of Blue Goat Cyber, explains, “If we look at a device that was cleared, let’s say 20 years ago, using encryption that was state-of-the-art back then, that’s most likely going to be considered wildly insecure now. But the hardware that that device is on probably does not even support modern encryption.”

Replacing all legacy devices with newer, more secure models is often not a feasible solution for healthcare delivery organizations (HDOs). As Trevor Slattery, Chief Technology Officer and Director of MedTech Cybersecurity at Blue Goat Cyber, points out, “A lot of people think, ‘Well, let’s just replace all those devices with newer ones.’ But that’s a larger problem than most people realize because it’s not just a replace and just assume everything’s going to be fine. You also have to train all the staff on how to use a new device. There’s a big learning curve. A lot of healthcare delivery organizations don’t want to pay for new devices.”

Given the challenges of replacing legacy devices, manufacturers and HDOs must find alternative ways to address the cybersecurity risks associated with these older products. This is where the FDA’s evolving guidance on legacy device management comes into play.

The FDA’s Shifting Approach to Legacy Devices

The FDA has recognized the unique challenges posed by legacy medical devices and has taken steps to provide manufacturers with more flexible pathways for addressing cybersecurity concerns. The key shift in the FDA’s approach is the distinction between “controlled” and “uncontrolled” risk.

Controlled vs. Uncontrolled Risk

According to Espinosa and Slattery, the FDA is now focusing on the potential impact of a security vulnerability, rather than just the presence of the vulnerability itself. Uncontrolled risk refers to a situation where a security issue could pose a significant threat to patient safety or data, such as a vulnerability in a pacemaker that could lead to life-threatening consequences. Controlled risk, on the other hand, describes a scenario where a security flaw may exist. Still, the potential harm to the patient or their data is relatively low, such as an oxygen pump freezing up for a few minutes.

The FDA is encouraging manufacturers to assess the risks associated with their legacy devices and determine which issues fall into the “controlled” category. This allows for a more targeted approach to addressing cybersecurity concerns, rather than requiring a complete overhaul of the device’s security architecture.

The Reduced Burden Pathway

Building on the controlled vs. uncontrolled risk framework, the FDA has introduced a “reduced burden pathway” for legacy device updates. As Slattery explains, “The FDA is now saying, ‘Okay, we get it. Some of these legacy products, you need to make other changes. If you’re doing that, here’s what we see as a good effort for cyber security.'”

Under this reduced burden pathway, manufacturers making changes to legacy devices that do not directly impact the device’s cybersecurity posture can follow a streamlined process. This includes:

  • Conducting an uncontrolled risk assessment to identify and address any significant security vulnerabilities
  • Developing a comprehensive postmarket management plan for ongoing security monitoring and maintenance
  • Providing a software bill of materials (SBOM) to increase transparency and visibility into the device’s components

By taking this approach, the FDA aims to help manufacturers make necessary updates to their legacy devices without requiring a complete overhaul of their cybersecurity, which could potentially lead to valuable products being removed from the market.

Practical Steps for Securing Legacy Devices

While the FDA’s guidance provides a framework for addressing legacy device cybersecurity, manufacturers must still take proactive steps to mitigate risks and ensure the ongoing security of their products. Here are some key strategies to consider:

Penetration Testing and Risk Assessment

As Espinosa and Slattery emphasize, understanding the real-world risks associated with legacy devices is crucial. Conducting regular penetration testing and risk assessments can help manufacturers identify vulnerabilities and develop targeted mitigation strategies.

Slattery notes, “If you’re aware of the risk with your device, you can communicate that to whoever’s using your device and come up with some mitigating controls as well. Like, if your device has some network vulnerabilities, then you could recommend that as a way to mitigate that, it’s put behind a firewall at the at the hospital, for instance, or put on an isolated segment.”

Postmarket Monitoring and Management

The FDA’s guidance emphasizes the importance of a comprehensive postmarket management plan for legacy devices. This includes ongoing security monitoring, vulnerability tracking, and proactive updates to address known issues.

As Espinosa explains, “The postmarket management strategy for a medical device is not saying these are all of the controls that we built into a product to ensure that it’s hardened against attack. It’s saying this is what we’re doing to keep an eye on things once it’s in the field. Here’s how often and what type of testing we’re doing on the product. Here’s what different feeds and resources we’re monitoring to be aware in case of a problem.”

Software Bill of Materials (SBOM)

Providing a detailed SBOM is a key requirement under the FDA’s reduced burden pathway. By documenting the software components and dependencies within a legacy device, manufacturers can better understand and manage the associated security risks.

As Slattery notes, “If you aren’t doing these types of activities, you’re never going to figure out what’s wrong. And a bad guy can figure out, a criminal hacker can find the vulnerability first if they’re actively researching this security of this device and your team is not. And that’s obviously the worst case scenario is for criminals to understand how to attack this device without anyone else being able to figure that out first.”

Collaboration and Transparency

Securing legacy medical devices requires a collaborative effort between manufacturers, healthcare providers, and regulatory bodies. By fostering open communication and transparency, stakeholders can work together to identify and address security risks, as well as develop effective mitigation strategies.

Espinosa emphasizes the importance of this approach, stating, “Waiting until it becomes an enforcable problem. So, try to get ahead of these things. the FDA, it’s clear the path they’re going and they’re trying to give some easy options to getting things right now before things get more complicated.”

A Holistic Approach to Cybersecurity

Securing legacy medical devices is not a one-time task, but rather a continuous process that must be integrated into the entire product lifecycle. Manufacturers should adopt a holistic approach to cybersecurity, considering security from the initial design phase through to the device’s eventual disposal.

As Espinosa and Slattery suggest, the mantra “from design to disposal” should be the guiding principle for medical device cybersecurity. This means addressing security concerns at every stage, from the initial product conception to the final decommissioning and recycling of the device.

By taking this comprehensive approach, manufacturers can ensure that their legacy devices, as well as their newer products, are equipped to withstand evolving cyber threats and maintain the highest standards of patient safety and data protection.

Conclusion

The challenge of securing legacy medical devices is a complex and ongoing issue, but the FDA’s evolving guidance provides a roadmap for manufacturers to navigate this landscape. By understanding the distinction between controlled and uncontrolled risk, leveraging the reduced burden pathway, and implementing practical security measures, manufacturers can proactively address the cybersecurity concerns associated with their legacy products.

Ultimately, the key to success lies in a holistic, collaborative approach that prioritizes security throughout the entire product lifecycle. By working closely with healthcare providers, regulatory bodies, and cybersecurity experts, manufacturers can ensure that their legacy devices remain secure, compliant, and, most importantly, safe for the patients who rely on them.

To learn more about securing your medical devices and partnering with Blue Goat Cyber, schedule a Discovery Session with us.

Blog Search

Social Media
Linkedin Facebook Twitter Instagram