Cybersecurity of legacy tech in health care focus of government RFI
In the RFI, the Committee is requesting information regarding challenges, opportunities, considerations, and suggestions concerning the use of legacy technologies in the health care sector. These legacy technologies, says the Committee, have been a root cause of many health care cybersecurity challenges.
“While health care cybersecurity is a complex, nuanced challenge with many different contributing factors, the use of legacy technologies, which are typically more insecure than their modern counterparts, continues to be a root cause of many incidents,” the Committee says. “The health care sector and medical technologies face the same challenge that has vexed the information technology (IT) industry for decades; digital technologies age faster and less gracefully than their physical counterparts.”
The RFI post goes on to note the global infection of hundreds of thousands of devices by the WannaCry ransomware cryptoworm in 2017 – an infection that was enabled due to a flaw in a 30-year-old software protocol. It was only the timely intervention of an independent security researcher, says the Committee, that the United States health care sector escaped the worst of the danger.
“However,” the Committee continues, “the existence of this severely outdated protocol throughout modern medical networks — including within devices such as MRIs and X-Ray machines, in addition to traditional desktops — alerted stakeholders to the pervasiveness and severity of the legacy problem in health care. The WannaCry outbreak occurred primarily because of one protocol embedded within dozens of unique medical technologies. In the aftermath of the outbreak, health care stakeholders were faced with a troubling question: how many other potential ‘WannaCrys’ lurk within their environments?”
The Committee recognizes that replacing such older technologies and devices can be costly and time consuming, and that in some cases replacements or alternatives to some specialized products may not be available. Equally troublesome, says the Committee, would be the idea of requiring manufacturers and developers of medical technologies to support these technologies as long as they are still in circulation.
With the RFI, the Committee hopes to better understand “the full scope of the challenge and potential paths to address it” by receiving insights from stakeholders of all sizes and from all parts of the health care sector. The issues are being collected under the heading “Supported Lifetimes.”
For more, see the RFI: Supported Lifetimes Request for Information.
Related articles:
5G, cybersecurity are national security priorities, says White House
‘Internet of Medical Things’ cybersecurity bill introduced
Medtech security, safety present opportunities for OEMs
Smart pacemakers recalled on cybersecurity concerns
Top five cybersecurity trends for 2018