The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) published a comprehensive guide to address the management of cybersecurity risk caused by legacy technologies used in healthcare environments.  

The guide—Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS)—recommends cybersecurity strategies that manufacturers and health providers can implement for legacy medical technology as a shared responsibility in the clinical environment, and provides insights for designing future devices that are more secure.

Concurrently, the White House released its “National Cybersecurity Strategy” which envisions an increased emphasis on protecting the nation’s critical infrastructures from cyber threats and incidents. The HIC-MaLTS addresses that emphasis through a rigorously-negotiated program of cybersecurity management and accountability between health delivery organizations and medical technology companies involving legacy medical systems in the clinical environment.

Further reading: 5 Elements of a Comprehensive Cybersecurity Strategy

The HIC-MaLTS details best practices and recommendations in modular and actionable format for medical device manufacturers (MDMs), healthcare delivery organizations (HDOs), and other technology providers whose products are used in healthcare environments.

The HIC-MaLTS guide includes:

  • The “Core Pillars” of a comprehensive legacy technology cyber risk management program:
    • Governance: How should healthcare stakeholders govern to ensure effective legacy technology cyber risk management?
    • Communications: Internally, to their customers, regulators, and the public—how should organizations communicate to manage legacy technology risk?
    • Cyber risk management: For current and future legacy technologies, how should organizations manage cyber risk to limit current risk and avoid or minimize future risk?
    • Future proofing: How should MDMs and other technology providers design, deploy, and maintain their technologies to avoid or lessen legacy technology risks?

The HSCC task group that developed this resource consisted of 65 organizational members co-led by Intermountain Healthcare, Elekta, and FDA.  The work process involved three years of engagement, negotiation and drafting among health delivery and medtech companies, demonstrating a collaborative commitment to the principle of shared responsibility.  The result was compromise, consensus and actionable practices that ultimately will increase security, lower costs, and protect patient safety, according to the release.