- A number of medical organizations have submitted recommendations to the House Energy and Commerce Committee on how to reduce cybersecurity vulnerabilities in aging healthcare IT systems and medical devices under the committee’s Supported Lifetimes initiative.
In April, the committee asked for input from various stakeholders about the problem of cybersecurity vulnerabilities in these systems and devices in response to the WannaCry ransomware campaign that caused widespread disruption in the healthcare sector last year.
The American Hospital Association (AHA) noted that legacy devices are a key vulnerability to the healthcare system and called on manufacturers to provide better support to improve the security of their devices.
“This support should include wrapping security precautions around these devices, adding security tools and auditing capabilities where possible, conducting regular updates and patching all software, and communicating security vulnerabilities quickly through consistent channels,” noted the AHA in its letter to the committee.
“Too often, such supports are lacking and end-users must create their own custom security controls, many of which are expensive, inefficient, do not scale, and create operational challenges,” AHA added.
AHA argued that these end-user controls, such as firewalls, network segmentation, and taking devices offline, do not completely resolve the cybersecurity concerns and can impact clinical workflows and patient care.
The group recommended that manufacturers provide guidance to hospitals and other end-users at the time the device is purchased about the expected supported lifetime of the device.
“During the supported lifetime, manufacturers should be providing ongoing security updates, software patches, and needed hardware upgrades on a timely basis, after testing to ensure that the updates do not negatively impact device performance or the ability to send and receive data,” the letter argued.
AHA called on the Food and Drug Administration (FDA) to ensure that manufacturers are required to maintain security measures for legacy devices given that they have no incentive to do so once the device is sold.
“While no actions can completely eliminate cybersecurity risks from health care, swift action by the FDA to improve the security of legacy and new medical devices will aid in reducing significant sources of vulnerability,” the AHA stressed.
The American Society of Cataract and Refractive Surgery (ASCRS) argued that medical device manufacturers should be required to provide cyberthreat protections, especially for devices using outdated or legacy software.
“Medical device manufacturers have a duty to ensure that physicians who use their devices are aware of potential vulnerabilities in their systems due to outdated and unsupported software programs,” the group argued in its committee letter.
Representing device manufacturers, the Advanced Medical Technology Association (AdvaMed) argued in its comments to the committee that device security is a “shared responsibility” among stakeholders — manufacturers, hospitals, physicians, IT professionals, healthcare providers, regulators, and patients.
AdvaMed stressed that “policies to support legacy technologies indefinitely would slow the development of new and innovative medical technologies and may have a direct impact on the financial viability of smaller innovative manufacturers.”
The association added that fixing vulnerabilities in legacy devices indefinitely would be cost prohibitive.
AdvaMed supported the FDA’s vulnerability disclosure requirements in its Medical Device Safety Plan.
“Our industry strongly supports the use of coordinated vulnerability disclosure … as the process informs stakeholders, including healthcare IT personnel, of current risks and appropriate mitigating controls,” the group said.
The Medical Imaging and Technology Alliance (MITA) also called for cooperation among stakeholders.
“The clinical lifetime for many medical imaging devices, such as MRI machines, can span decades, while the digital lifetime, during which manufacturers are able to provide security updates, may only be a few years. This disparity creates a shared financial burden between HDOs [health delivery organizations], manufacturers, and public agencies that creates additional tension,” the MITA argued in its committee letter.
MITA opposed requiring manufacturers to continue to provide security support beyond the device’s supported lifetime.
“MITA believes the entire healthcare industry can achieve improved cyber security only by embracing the model of shared responsibility,” the letter noted.