Strong Opinions Voiced on Medical Device Security ChallengesStakeholders Spotlight a Long List of Problems in Feedback to House Committee
The House Energy and Commerce Committee, which asked the healthcare sector for feedback on how to improve the cybersecurity of legacy medical devices, has received some very strong opinions on the subject.
For example, the College of Healthcare Information and Management Executives and its subgroup, the Association of Executives in Healthcare Information Security, stress that healthcare provider organizations generally believe they are carrying a "disproportionate" burden of the risks involved with legacy devices, compared with the manufacturers of these products.
The committee in April issued a request for information regarding the use of legacy technologies in healthcare. A committee staff member tells Information Security Media Group that the committee received "a large amount of responses" by its May 31 deadline, and committee staff is still reviewing what came in.
"Legacy technology issues were a huge portion of the [Department of Health and Human Services'] Cybersecurity Task Force report (405(d) report), so it was a driver in us focusing in on legacy tech and conceptualizing the RFI," the aide says.
In its RFI, the committee notes: "While healthcare cybersecurity is a complex, nuanced challenge with many different contributing factors, the use of legacy technologies, which are typically more insecure than their modern counterparts, continues to be a root cause of many incidents."
The committee noted that the feedback it received would be made public, but so far the panel has apparently not posted any comments. But a number of organizations have released the comments they submitted.
In their comments, CHIME and its AEHIS subgroup wrote several observations about and recommendations for tackling legacy medical device cybersecurity challenges.
"Increasingly, our members report that suppliers are taking a stronger interest in securing medical devices in ways that simply were not happening in prior years. Nonetheless, providers perceive they are largely shouldering the risk associated with medical devices and that this disproportionate risk distribution results in an unfair and unreasonable risk to patient safety as well as an increased cost to their operations," CHIME and AEHIS write.
"In many instances, providers feel as if they pay for the same medical device twice, once to purchase it and once more to secure it appropriately for cyber risks. While providers acknowledge they do own some of the risk for these legacy devices, they believe a shared responsibility between the suppliers and the providers is warranted for appropriate risk distribution compared to the current approach where one party assumes the majority of the responsibility."
CHIME and AEHIS say there's a need for more specific industry standards when it comes to the definition of "legacy medical device" and as well as industry standards for categorization of device cyber risks.
"Given the heterogeneity of medical devices, a risk-based approach for categorizing cyber risk based on the type of device and its intended functionality would help the industry, as currently the stratification of cyber risk is largely subjective," the letter notes.
CHIME and AEHIS also stress that device makers need to be more forthcoming about cyber vulnerabilities in their products.
"Suppliers should provide documentation of vulnerabilities within their products, and this should include documentation on vulnerabilities that have not been publicly disclosed."
"Suppliers should provide documentation of vulnerabilities within their products, and this should include documentation on vulnerabilities that have not been publicly disclosed," they write. "The documentation should include a description of each vulnerability and its potential impact, as well as recommended compensating security controls, mitigations, and/or procedural workarounds."
Medical device risk reporting should be aligned with the newly developed portion of the supply chain risk management section released in the National Institute of Standards and Technology's CyberSecurity Framework 1.1 version, the organizations suggest.
In its comments, the American Hospital Association suggests that to support end users, "device manufacturers should provide security tools as part of a device - logs, whitelisting, vulnerability scanning, software bill of materials, separation of privileges, intrusion detection systems, change control systems, etc. - provide devices with secure configurations based on a reference technical standard, and communicate with hospitals about how and when the manufacturer plans to remotely support a device."
AHA adds: "They also should provide best practice guidance that allows the provider to integrate a device into its enterprise security without excessive cost and effort. There is a significant contrast between the ease and efficiency of updating network and PC software for security and updating software embedded in medical devices. Software companies have generally prioritized creating a systematic approach for sharing timely updates and providing guidance on how to complete them. Similar approaches have yet to be deployed by medical device manufacturers."
The Advanced Medical Technology Association, or AdvaMed, - a trade association representing makers of medical devices, diagnostic products and health information systems - offered a different perspective on the challenges.
AdvaMed notes in its comments that the committee's RFI "suggests a misalignment between advancements in medical device technology and overall technology; it does not directly acknowledge that medical devices cannot support updates beyond the useful life of the underlying technology, which for common off-the-shelf components can be as short as three to four years."
Once a technology is depreciated - for example, 32-bit processors, encryption algorithms, total system storage and memory, and other hardware limitations - updates are either no longer available or not possible, AdvaMed notes. "Manufacturers and healthcare delivery organizations typically implement defense-in-depth controls to mitigate risks presented by legacy technologies; however, these technologies simply cannot be supported in perpetuity," it writes.
AdvaMed claims that a statement in the committee's RFI "significantly underestimates" the cost of remediating a single vulnerability.
"Though hard data about the exact costs are difficult to determine, one cybersecurity professional estimated that fixing a single vulnerability may cost an organization anywhere from $400 to $4,000," AdvaMed notes. "For a typical vulnerability, the specified range underestimates costs by an order of magnitude due to labor costs associated with development, verification and validation, risk management file revision, customer communication, and regulatory requirements. Additional costs on the user/owner side could also be incurred to apply the solution."
The association agrees with a committee RFI statement that notes that requiring "manufacturers to support legacy technologies indefinitely would therefore likely have significant impacts on their ability to provide new and innovative technologies, as their resources would necessarily have to be spent maintaining their legacy products."
AdvaMed writes: "Adoption of policies to support legacy technologies indefinitely would slow the development of new and innovative medical technologies, and may have a direct impact on the financial viability of smaller innovative manufacturers."