Hospitals may need to play catch-up on cybersecurity risks for legacy medical devices

Healthcare executives looking to improve cybersecurity standards across their hospitals might want to start with existing IT.

Older medical devices can have critical cybersecurity vulnerabilities, often because the technology wasn’t designed to address the kinds of cyber threats that exist today, Richard Staynings, chief security strategist at cybersecurity platform Cylera, told Healthcare Brew.

“No one in their right mind would conduct their stock trades or their internet banking—or even manage their 401(k)—using a Windows 95 computer today,” Staynings said. “And yet we’re keeping patients alive using an embedded version of that very same operating system in legacy devices.”

Medical devices can typically be used for 10–30 years, but the software powering the devices may expire much sooner than that. According to a recent report from asset visibility and security company Armis, about one in five connected medical devices is running on an outdated and unsupported operating system (OS), which makes it “extremely difficult” to update the software or apply security patches due to storage capacity and/or memory limitations, Staynings said.

The longer the software stays outdated, the more time hackers have to find flaws, per a 2022 report from the Federal Bureau of Investigation (FBI).

Each device connected to a hospital’s network—think blood pressure monitors, IV pumps, or nurse call systems—increases the attack surface, or number of possible entry points for a cyberattack. Legacy devices may have even more entry points, including in default settings that are “often easily exploitable,” the FBI report found.

But these vulnerable devices may still work “perfectly well” for healthcare purposes, Staynings said, and since health systems often purchase devices on a payment schedule spanning a number of years, it can seem cost-prohibitive to upgrade or replace them.

“While that may not be a huge concern [regarding] a $400 network-connected infusion pump, it’s obviously a massive fiscal burden to hospitals to write off a $25 million X-ray system purely because the vendor cannot update the software and make it secure,” Staynings said.

A cyberattack, however, could cost a health system millions of dollars. For example, a ransomware attack on Chicago-based CommonSpirit Health in 2022 led to about $160 million in lost revenue and remediation fees, Healthcare Brew previously reported.

Ricardo Villadiego, founder and CEO of cybersecurity company Lumu Technologies, told Healthcare Brew that health systems should allocate about 10%–15% of their IT budget to cybersecurity. In 2021, hospitals in the US spent an annual average of ~$8.38 million on IT, according to commercial intelligence company Definitive Healthcare.

Villadiego said that the healthcare industry will “absolutely” be increasing IT budgets to bolster cybersecurity.

Legislation is also catching up with the evolving tech landscape. In late December 2022, President Biden signed into law the Consolidated Appropriations Act 2023, which includes new cybersecurity standards and allows the FDA to reject a new medical device application if it does not include a plan to “monitor, identify, and address” postmarket cybersecurity vulnerabilities over the lifetime of the device. These plans can include details like results of tested threat models, a schedule for updates and/or patches, and a list of all open-source or other software components in the device.

The law went into effect on March 29, and when the grace period ended on October 1, the FDA began exercising its authority to automatically refuse submissions that don’t have adequate development plans.

“The most attacked vertical in the United States is healthcare,” Villadiego said. “It’s now. It’s not science fiction—it’s real.”