To help address the cybersecurity risks of legacy devices used in healthcare environments, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has published “Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS).” The guide recommends cybersecurity strategies that manufacturers and health providers can implement for legacy medical technology as a shared responsibility in the clinical environment, and provides insights for designing future devices that are more secure.
The guide was published on March 2, the same day the White House released its “National Cybersecurity Strategy,” which envisions an increased emphasis on protecting the nation’s critical infrastructures from cyber threats and incidents that includes:
- Rebalancing the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.
- Realigning incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.
The HIC-MaLTS details best practices and recommendations in a modular and actionable format for medical device manufacturers (MDMs), healthcare delivery organizations (HDOs), and other technology providers whose products are used in healthcare environments.
The guide covers the “Core Pillars” of a comprehensive legacy technology cyber risk management program, including:
- Governance: How should healthcare stakeholders govern to ensure effective legacy technology cyber risk management?
- Communications: How should organizations communicate—internally, to their customers, with regulators, and to the public—to manage legacy technology risk?
- Cyber Risk Management: For current and future legacy technologies, how should organizations manage cyber risk to limit current risk and avoid or minimize future risk?
- Future Proofing: How should MDMs and other technology providers design, deploy, and maintain their technologies to avoid or lessen legacy technology risks?
The HSCC is a coalition of private-sector critical healthcare infrastructure entities organized under a national public-private partnership framework to partner with and advise the government in the identification and mitigation of strategic threats and vulnerabilities facing the sector’s ability to deliver services and assets to the public. The HSCC Cybersecurity Working Group is composed of almost 400 industry and government organizations collaborating to develop strategies to address emerging and ongoing cybersecurity challenges to the health sector.