While ransomware attacks on hospitals and health systems are growing in sophistication, healthcare organizations are facing one of their biggest cybersecurity challenges — defending legacy medical devices against new cyberthreats.
Legacy medical devices in current use by healthcare organizations were designed and manufactured long before the medtech industry was thinking critically about cybersecurity features. Many older medical devices in operation today — using outdated or insecure software, hardware and protocols — were not built with cyber protections in mind leaving healthcare organizations vulnerable to attack and putting the reputation and financial stability of device companies at risk.
Despite the cybersecurity risks, the number of connected medical devices being used in hospital networks is rapidly increasing. Over the next decade, the number of internet-connected medical devices is expected to increase from 10 billion to 50 billion, according to IBM.
"Stuff that's 10-15 years old really was never designed to be on a network," said David Finn, executive vice president at cybersecurity consulting firm CynergisTek and a former CIO of Texas Children's Hospital. "Anything that connects to the internet is going to be at risk."
Making matters worse, legacy devices are using operating systems such as Windows XP that Microsoft no longer supports with security patches and updates.
"That's 20 years old. But some of these large pieces of medical equipment can last that long and still function from a medical perspective just fine," said Zach Rothstein, AdvaMed's VP for technology and regulatory affairs.
Internet of things cybersecurity company Forescout, in a 2020 device security report, predicted that healthcare organizations will have to deal with medical devices running legacy operating systems for the foreseeable future.
"The percentage of devices running entirely unsupported [OS] versions has not changed, remaining constant at 0.4% (between 2019 and 2020). This includes now-obsolete Windows OSes like Windows XP and Windows Server 2003," the report said, suggesting the legacy OS problem will continue well into the future.
While a small number, systems most impacted tend to be some of the most critical devices in healthcare organizations supporting clinical care, such as insulin pumps and ventilators, the report notes.
Marc Schlessinger, a senior associate at watchdog group ECRI, said medical device security is often among the weakest links in a healthcare organization and called legacy devices a particularly challenging area because of well-known vulnerabilities that can't be patched.
Chris Gates, director of product security at medical device engineering firm Velentium, said "you can't always bolt-on security after the fact, especially with a legacy piece of equipment — I've literally handed checks back to clients and told them there's no fixing this."
As recently as last year, Schlessinger said he saw older equipment in hospitals running on Windows 98, despite the fact that Microsoft stopped all support for the operating system in 2006. These kinds of OS issues are common with aging medical imaging systems.
"But you're not going to find a hospital who is very quick to replace a $1.5 million MRI or CT because the operating system is outdated," Schlessinger said. Instead, he recommends healthcare organizations employ best practices to manage security risks including isolating connected medical devices as much as possible from hospital networks.
At the same time, Schlessinger acknowledges that disconnecting devices from hospital networks is often not practical, as doing so could disrupt clinical workflow critical to patient care.
Velentium's Gates, who defines legacy medical devices as those systems that cannot be brought up to current cybersecurity standards, contends the U.S. needs to get rid of those devices that are "highly insecure" and have been in hospitals for 20 years or more. "Let's clean out the dead wood," he said.
However, limited financial and staffing resources amid competing priorities at healthcare organizations are major obstacles to fixing vulnerabilities in legacy medical devices because it is not cost-practical to either replace or remediate them.
The problem is that security analysts and regulators are "too busy trying to keep up with potential vulnerabilities in new devices to spend time on medical systems that have been in clinical use for years," according to Mike Rushanan, director of medical security at consultancy Harbor Labs. The same cannot be said of the hacker community, which he argues has the resources and patience to continually find new cybersecurity vulnerabilities.
Hospitals, devicemakers spar over responsibility, regulation
Cybersecurity experts maintain that identifying and classifying medical devices running legacy operating systems are critical for risk mitigation, recommending devices that cannot be retired or patched be segmented to restrict access to critical information and services only.
However, the American Hospital Association has made the case that device manufacturers should anticipate the need to upgrade a device from Windows 7 to Windows 10, for instance, as a part of planned maintenance at a reasonable cost.
AHA contends that while FDA has released both pre- and post-market guidance to device manufacturers on how to secure systems "there is little incentive for manufacturers to address the security of their installed base of products." The hospital group insists that the regulatory agency must make clear that security measures to protect legacy devices are required, not optional.
"The FDA has a leadership role in creating expectations that manufacturers proactively minimize risk by building security into products by design, providing security tools to their end-users, and updating and patching devices as new intelligence and threats emerge," according to AHA.
FDA guidance in 2016 addressed steps manufacturers must follow to protect medical devices against cyberattacks. The agency made it clear in the document that cybersecurity risk management is a shared responsibility among stakeholders including medical device manufacturers and healthcare delivery organizations.
AdvaMed's Rothstein said the FDA guidance on post-market cybersecurity is binding for manufacturers but device companies and the hospitals share responsibilities to keep medical devices secure over their useful lifetimes.
Complicating the situation is that the long service life of legacy medical devices makes it more difficult to safeguard them as the cybersecurity environment is constantly changing with the emergence of new vulnerabilities and threats.
Under FDA regulations, manufacturers of newer devices must disclose vulnerabilities as they are discovered. What worries cybersecurity experts are the many vulnerabilities that exist in legacy devices that have not yet been discovered.
Constantly evolving threats
At-risk legacy devices are potentially easy targets for cybercriminals who can use them as access points into hospital networks and ultimately the valuable patient data they're after, resulting in monetary reward directly through ransomware attacks or indirectly by selling stolen information.
"These are actually financially motivated intruders who are going after the low-hanging fruit. And, healthcare happens to be fairly low-hanging fruit," said Kevin Fu, acting director of medical device cybersecurity at the FDA's Center for Devices and Radiological Health, during last month's Food & Drug Law Institute annual conference.
"Everything is hackable," Fu said, who noted that medical devices infected by ransomware can be disabled from properly performing critical clinical functions, which could lead to patient harm.
While medical devices such as infusion pumps are used to deliver life-supporting therapy, ECRI is not aware of hackers up to now who've done harm to patients by adjusting device settings that administer medications.
Nonetheless, IBM last year discovered a cybersecurity vulnerability that could potentially allow hackers to remotely take control of insulin pumps and alter medication dosages to patients.
So far, hackers seem more concerned about monetary rewards than doing patient harm.
"They have not gone after patients but that does not mean it can't happen," Schlessinger said. "If a hacker was looking to go in and actually harm a patient, IV pumps and ventilators would be two devices that they could easily target."
FDA's Fu warned that as more medical device companies use the cloud and depend on it for the real-time function of devices the industry is likely going to see cybersecurity incidents where they rise to the level of patient safety issues.
"Ransomware comes at the heart of availability. It simply renders the device useless," Fu said.
It's a possibility that becomes more plausible as the problem of ransomware attacks on healthcare has become an epidemic.
A gang of Eastern European cybercriminals known as Ryuk has hit at least 235 U.S. hospitals and inpatient psychiatric facilities since 2018, taking in more than $100 million from ransomware attacks, according to the Wall Street Journal. Some ransomware gangs avoid targeting healthcare organizations due to concerns about patient safety. However, Ryuk and other groups have no such hesitation.
"It's getting nasty out there. It's a much more sophisticated adversary than even a year ago," Fu told the FDLI conference, referencing the Conti ransomware group which targeted at least 16 U.S. healthcare and first-responder networks causing the FBI to send out an alert last month.
Fu acknowledged he doesn't know what the answer is when it comes to the massive problem of legacy devices and their inherent cybersecurity vulnerabilities.
For now, Gates said, FDA is playing the "long game" by essentially allowing legacy devices to reach the end of their service lives and be replaced by newer, more secure products that comply with the agency's latest cyber regulations — hopefully, before hackers are able to exploit their vulnerabilities and do damage to hospitals and their patients.
"It's quite the thorny issue," AdvaMed's Rothstein said, observing that any medical device that hits the market is quickly considered legacy given the rapid pace of technology. "We're never really going to be completely rid of this issue," he said.