Cycling out legacy systems and devices that create cybersecurity vulnerabilities for healthcare providers is a difficult task that could benefit from a structured incentive program, experts say.
One reason healthcare is plagued with cybersecurity vulnerabilities is that the industry is built on a bedrock of legacy systems and devices in an increasingly connected environment. Many of these devices were never intended to be connected to the internet, and patching those systems can be difficult since the impact of a security patch on an older device is often unknown.
“The healthcare sector is particularly sensitive to the internet of things,” Leo Scanlon, deputy chief information security officer at the Department of Health and Human Services said during a House subcommittee hearing last week. “Many devices were not developed with the intention of being on the internet. It was never intended they would be able to talk to other devices, yet they are.”
But, as one medical device manufacturer recently told Joshua Corman, director of the Cyber Statecraft Initiative at Atlantic Council’s Brent Scowcroft Center and founder of I Am The Cavalry, it can be difficult to pry old devices “out of healthcare’s cold, dead hands.”
Corman and his fellow authors of the HHS Cybersecurity Task Force report have a potential solution: Incentivize providers to upgrade their legacy equipment through a program similar to Cash for Clunkers, the federal initiative designed to get safer, more fuel-efficient cars on the road.
“There’s a strong argument to do something similar here,” Corman said on a conference call hosted by the Atlantic Council last week. He noted that the average device life cycle can be as long as 20 years, but most operating systems are just six or seven years.
Experts worry that medical devices are the next big target for hackers, particularly given the steady rise of ransomware attacks within the healthcare industry over the last year. Scanlon said the presence of older devices is compounded by a common misperception among manufacturers that the Food and Drug Administration (FDA) does not allow device patching without approval.
The Food and Drug Administration (FDA) has taken additional steps over the last year to address cybersecurity deficiencies within medical devices. The agency issued a warning to Abbott earlier this year requiring the manufacturer to fix deficiencies in a cardiac device within 15 days.