How to Manage Cyber Risk and Legacy Medical Devices

Across the healthcare industry, many organizations still rely on legacy medical devices—technically obsolete devices that still function. In some cases, budget constraints limit the ability to upgrade to newer models; in others, there’s an “ain’t broke, don’t fix it” mindset. The average medical device in service today is 10-15 years old. While they may still be useful, they’re often well beyond end-of-life manufacturer support and function on obsolete or non-updatable operating systems and software.

These legacy devices introduce risks into your already complex and expanding healthcare attack surface:

  • Legacy medical devices could potentially expose or compromise patient health information (PHI) and other sensitive data.
  • Threat actors could introduce malware or ransomware that renders devices inoperable.
  • Unauthorized users could manipulate device settings or shut them down.

These critical issues do more than just disrupt healthcare operations; they can be life and death for your patients.

What is a legacy medical device?

A legacy medical device is any device your security teams cannot reasonably protect against cybersecurity threats.

Unfortunately, many healthcare institutions struggle to address outdated medical device security issues. They fear updates could result in malfunctions or shutdowns, or taking them offline for cybersecurity risk management would be too disruptive to operations. However, the consequences of these security issues can be dire for patients and healthcare business continuity and resiliency.

That’s why healthcare organizations and business associates must manage legacy medical device security effectively to ensure a continuum of quality healthcare service delivery. While the technical aspects of managing device security are complicated, the cost of inaction is much higher.

A Beacon for Device Security

There is no one-size-fits-all approach to managing legacy medical device cybersecurity. So, where do you begin? How do you tackle these unique cyber threats without jeopardizing device functionality or impacting patient care?

Industry best practices help prioritize device risk based on your threat threshold and risk profile.

The Cyber Security Act of 2015 was the first guidance on these best practices, and since then, other healthcare and cybersecurity organizations have offered additional guidance. For example, the U.S. Food and Drug Administration (FDA) Management of Cybersecurity on Medical Devices helped clarify that it’s OK for healthcare organizations to patch legacy devices as long as they’re not changing the device’s form, fit, or function.

The 2022 Omnibus Bill took that further by giving the FDA authority to regulate medical device cybersecurity. More recently, in 2023, the FDA and MITRE published “Next Steps Toward Managing Legacy Medical Devices Cybersecurity Risks,”  which outlines immediate solutions to address outdated medical device security challenges.

Addressing Legacy Medical Device Security Risk

While this guidance is valuable, tackling medical device security is still challenging. Because these devices are critical and contain PHI, device security requires collaboration from vetting and selection through implementation and device disposition.

Who should be involved? It’s a shared responsibility of all stakeholders throughout the medical device lifecycle, including:

  • Medical device manufacturers
  • Healthcare personnel
  • Users
  • Regulators
  • Your IT and security teams

The Risk-Informed Challenge

Although a zero-trust strategy can be effective, there may be better solutions for outdated medical devices. Therefore, it is essential to have a comprehensive understanding of device usage and how they’re integrated into clinical workflows. This can help stakeholders collaborate more effectively and better manage potential risks and vulnerabilities. The right skills, data, and expertise are crucial in addressing these complex security issues.

This begins with a risk-informed approach to legacy device management, meaning:

  • Data informs strategic decisions for your medical device security program.
  • The FDA now requires all new medical devices to have a software bill of materials (SBOM).
  • The SBOM should document all proprietary and open-source software the device uses or accesses.
  • SBOMs are key to understanding and evaluating device risk.
  • SBOMs help users mitigate risk and implement risk management strategies.
  • SBOMs should include known vulnerability information, support status, and end-of-support/life dates.

Medical Device Vulnerability Management

Similar to the approach for your medical device security program, the more granular functions of vulnerability management should also be a shared responsibility among key stakeholders. A complete inventory of devices and components is a critical starting point. SaaS tools like Clearwater’s IRM|Analysis® can help you identify your medical devices, break down each component, and discover and prioritize vulnerabilities so you can build a strategy to address remediation, or you can collect this data by working through clinical workflows.

Unlike other IT and cloud devices, you can’t patch or update legacy medical devices and send them back into service. They require performance verification by a certified technician to ensure the device is safe for use. Cross-departmental collaboration will be key to effective medical device risk management.

The reality is that this process is incredibly resource-intensive. Finding out if a patch is available and when you can apply it takes a lot of legwork. Your team must reach out to each device manufacturer for this feedback, and unfortunately, at least for now, there is no single source of truth for all of this information.

Even once you have this critical information, you still have to map out how to address the security risk and how you will accomplish it. Pre-established and well-thought-out policies and procedures are essential. They’ll ensure your team’s steps are actionable and handled by the right people, especially when your SBOMs guide action items. Once remediation is complete and testing ensures device reliability, it’s always a good idea to conduct continuous assessments to determine whether your controls and processes function effectively.

Workforce Management and Competency Models

While these crucial processes are resource-intensive, most healthcare organizations don’t have the budget or capacity to hire additional skilled personnel. A shortage of skilled professionals further complicates the challenge, so most healthcare organizations must find other ways to utilize existing personnel best to tackle these complex tasks.

To maximize your existing talent and resources, consider using competency models to determine which core cybersecurity skills and knowledge are necessary for the roles that support critical functions to manage legacy risk. These workforce development resources may be helpful:

If you don’t have the right people for the right roles, you may want to consider outsourcing these cybersecurity measures with a consultant. Identify key areas where you need the most help before engaging a third party for legacy medical device security.

The Practical Outcome of Risk Management

Regarding medical device risk management, you may be worried that you don’t have what you need to be effective because of your size, personnel limitations, or budget constraints. The good news is that a smaller healthcare organization with practical understanding, governance, and procedures can be just as effective as a large one with more resources.

Clearwater consultants recently evaluated two clients to drive this point home. One was a large hospital system with a deep tech stack. It had automated discovery tools integrated with its configuration management database (CMDB) and a ticketing system. The smaller hospital had a small budget and limited tech stack but had implemented well-thought-out policies and procedures with a well-trained staff that understood how to execute the program. This included clearly understanding roles and responsibilities, everything from pre-purchase and risk assessments to vulnerability management and end-of-life.

At the beginning of the assessment, the large hospital had an average maturity score of 2.6, and the small was 2.2. Both continually assessed their medical device security programs and adjusted policies, procedures, and workforce training as needed. Two years later, the large hospital increased to 3.4, and the smaller increased to 3.1; both exceeded the 2021 NIST Cybersecurity Framework Assessment results, in which the average maturity score was 2.9.

The takeaway here is that you don’t have to have the latest, greatest tools to manage legacy medical device security effectively. While tools are helpful and important, if you conduct a thorough assessment of your program, understand exactly what you have for governance, policies, and procedures, and continuously update your workforce training with a focus on stakeholder collaboration, you have everything you need to keep your legacy devices secure and operational.

7 Tips to Build Resilience Against Medical Device Attacks

  1. Take an accurate inventory of all medical devices connected to your network.
    • When possible, use active monitoring tools. There are other vital steps if you don’t have access to these resources. For example, when a medical device comes in for updates, repairs, or other services, collect all the device data such as operating system, Mac address, IP, etc. This information will help you better understand what’s on your network.
  2. Know who works with manufacturers and vendors to confirm security settings and approved patches.
    • Make sure you’re enforcing service level agreements (SLAs), both internal and external.
  3. Ensure you’re updating software on each device promptly and adequately. Remember, clinical workflows are critical here. They can help your teams understand when and how long a device can go offline. This takes a lot of stakeholder collaboration. It may be helpful to implement asset-tracking tools that collect device data to understand how and when each device is in use. This information can influence when you schedule updates and downtime. Avoid allowing the devices to run non-stop, daily, year-round. You will need to take them down occasionally for security measures.
  4. Segmentation is one of the most scalable and effective defenses. Consider:
    • How to segment
    • Which devices talk to one another and your electronic medical records (EMR) system
    • What goes out externally to vendors and other sites
  5. Document and know what to do when a medical device is compromised. Consider:
    • Steps to take to respond to and recover from a ransomware attack.
    • How long will you hold a device for forensics?
    • Will you immediately re-image and return it to service, or will it require extended time offline or downtime?
  6. Communicate how patients should notify you if they suspect a compromise. Consider:
    • Do you have a way for patients to contact you immediately?
    • What is the protocol for patients to use, and what happens next?
  7. Regularly practice your organization’s protocols in case of a potential shutdown or attack against medical devices. Consider:
    • When to take a device offline, is it safe to use in an offline mode or take it out
    • Steps to take to put the device back into service

Need help managing legacy medical devices or systems? The Clearwater team can help, let’s schedule a call.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us