Cybersecurity in Medical Devices (Part 2)

Introduction

As mentioned in the previous article, cybersecurity measures must be implemented as an integral part of risk management in accordance with ISO 14971 (Medical device risk management). This systematic approach to cybersecurity is not merely an afterthought but rather a fundamental component of the overall safety and performance framework that medical device manufacturers must establish throughout the product lifecycle.

Risk Management and Cybersecurity Integration

For medical devices that connect to networks or exchange data with other medical devices and systems through means such as USB storage devices, manufacturers must address cyber attacks as potential hazards when conducting hazard analysis during the risk management process. This represents a critical shift in how the industry conceptualizes threats to medical devices, moving beyond traditional use-related hazards to include those that could be deliberately introduced by malicious actors.

In the post-market phase, ensuring appropriate cybersecurity responses requires the medical device manufacturer to conduct individual risk analyses tailored to each specific device’s characteristics, in close collaboration with relevant stakeholders including healthcare professionals. The manufacturer must then implement sufficient countermeasures to reduce risks posed by cyber attacks. This collaborative approach recognizes that healthcare facilities themselves represent part of the cybersecurity ecosystem and must be engaged as active partners in risk mitigation.

The Healthcare Network Environment

Consider a practical scenario to understand the importance of cybersecurity in connected medical devices. If a healthcare facility’s network security is inadequate, a computer virus could infect the particular medical device in question. Once infected, this malware could spread to other healthcare software systems or medical devices within that facility. Conversely, vulnerable healthcare software or other medical devices within the same network could introduce malware to the device under consideration. This bi-directional threat pathway underscores why manufacturers cannot view cybersecurity as solely their responsibility; the healthcare facility’s infrastructure plays an essential role in determining whether a well-designed device can be compromised in the field.

Coordination with Healthcare Facilities

When a medical device company discovers a cybersecurity vulnerability in their device, it must notify relevant healthcare facilities promptly. Healthcare facilities receiving such notification must in turn promptly suspend use of the affected device and isolate it from their network systems. However, the method and channel through which the notification is communicated are critically important.

The Vulnerability Disclosure Dilemma

If vulnerabilities are disclosed through unreliable channels, the notification itself becomes counterproductive by inadvertently revealing the vulnerability to malicious actors who may not have previously been aware of the security weakness. This phenomenon is well-recognized in the cybersecurity community and underscores the need for responsible disclosure practices. The vulnerability disclosure process should therefore be carefully planned and executed through trusted communication pathways that have been established in advance.

Manufacturers should establish advance agreements with healthcare facilities regarding the appropriate methodology for communicating cybersecurity vulnerabilities. These agreements might specify secure communication channels, notification timelines, and the appropriate level of technical detail to be shared. Such pre-arrangement ensures that when vulnerabilities are discovered, notification can proceed swiftly without compromising security.

Variability in Industry Response

The timeliness and transparency of vulnerability disclosure often correlates with company maturity and resources. Mature, well-established medical device manufacturers typically respond to discovered cybersecurity vulnerabilities by promptly issuing notifications and guidance to affected users. Conversely, small and mid-sized enterprises may sometimes refrain from disclosing cybersecurity vulnerabilities due to concerns about product withdrawal from the market or business discontinuation. When vulnerabilities go unreported, the risk of expanded harm to patients and healthcare operations becomes a significant concern, affecting not only the affected facility but potentially the broader healthcare community.

The regulatory environment is increasingly emphasizing transparency in vulnerability management. Regulatory bodies in the United States (FDA), European Union (EMA), and Japan (PMDA) expect manufacturers to maintain robust vulnerability detection and disclosure processes as part of their post-market surveillance obligations. Failure to report known vulnerabilities can result in regulatory action and reputational damage.

Legacy Medical Devices

Products sold in the past that are currently in use may constitute “legacy medical devices”—a term referring to devices that cannot be reasonably protected against the current cybersecurity threat landscape through practical means.

Definition and Characteristics

A legacy medical device is defined as a medical device that cannot be protected against contemporary cybersecurity threats through feasible countermeasures such as updates or complementary mitigation strategies. The term “legacy” in this context is not determined by the device’s age in years, but rather by whether it can be reasonably protected against modern threats using available and proportionate methods.

A common and problematic situation arises when the clinical utility of a medical device extends well beyond the manufacturer’s commitment period for security support. Users may wish to continue operating a device long after the manufacturer ceases to provide security patches or updates, creating a period of vulnerability during which known exploits may be leveraged against the device.

Important Clarifications

A critical point that warrants emphasis: a device should not be classified as legacy solely based on age. For example, a device released less than one year ago could be classified as legacy if it cannot reasonably be protected against contemporary cybersecurity threats. Conversely, a device that has been in use for more than five years is not necessarily legacy if reasonable protection measures remain feasible—whether through continued security updates, compensating controls, or network isolation strategies.

Particularly concerning is the scenario in which a device becomes legacy immediately upon or shortly after market release. This can occur when manufacturers lack sufficient cybersecurity expertise during the design phase. Design engineers must possess current and comprehensive knowledge of cybersecurity principles to integrate security appropriately into the device from inception. Retrofitting security into a device after release, while sometimes necessary, is far less effective than designing security in from the start.

Regulatory Guidance on Legacy Devices

International medical device regulatory guidance, particularly that developed by the Global Harmonization Task Force (GHTF) and reflected in regulatory frameworks such as FDA guidance and EU MDR requirements, has introduced new considerations for managing legacy medical devices.

A key recommendation from these regulatory bodies is that medical device manufacturers should clearly communicate the End of Support (EOS) period for each device to healthcare providers. The EOS represents the date after which the manufacturer will no longer provide security updates, patches, or technical support for the device. This timeline should be established based on the device’s security characteristics, threat landscape evolution, and the manufacturer’s capacity to support older software versions.

After agreement is reached regarding the EOS, the risk of continued use of the device up to its End of Life (EOL)—the date the device is physically removed from service—transfers to the healthcare provider. Healthcare facilities must make informed decisions about whether to continue using the device after support ends, understanding the security risks this entails. Some facilities may choose to implement compensating controls such as network isolation or restricted connectivity. Others may determine that the risks are unacceptable and discontinue use earlier than the originally planned EOL.

Business and Risk Implications

From a risk management perspective, inadequately protected legacy medical devices represent an attractive target for hackers and cybercriminals. These devices often embody known vulnerabilities that cannot be patched and may operate using outdated protocols no longer protected by contemporary firewalls and intrusion detection systems. Leaving such devices in operation, unmanaged and unprotected, represents a significant business continuity risk for the medical device manufacturer, potentially exposing the company to liability claims, regulatory sanctions, and reputational damage.

Conversely, the management of legacy medical device portfolios can create business opportunities. As devices approach or exceed their security support windows, manufacturers can develop and market updated device versions with enhanced security features, offering device upgrades, replacements, or new product lines to healthcare facilities seeking to manage cybersecurity risks. Proper management of the legacy device transition can transform a compliance obligation into a business development opportunity.

Recommended Actions for Device Manufacturers

Given the significant implications of legacy device management, medical device manufacturers should undertake the following activities at an early stage, with the goal of revising their business continuity plans and overall business strategy to address the security lifecycle dimension of their product portfolios:

Identification of Legacy Devices: Manufacturers should systematically review their product portfolio to identify devices that may meet the definition of legacy medical devices. This assessment should consider the current threat landscape, the availability of security updates, and the technical feasibility of implementing protective measures.

Vulnerability Assessment and Response Planning: For devices identified as legacy or at risk of becoming legacy, manufacturers should conduct comprehensive vulnerability assessments and develop detailed response plans. These plans should include timelines for implementing compensating controls, communicating with users, or planning device discontinuation. The End of Support date should be clearly defined and communicated.

Healthcare Provider Inventory: Manufacturers should work to identify and maintain an updated inventory of healthcare facilities and other end users actively using their legacy devices. This allows for targeted communication and support during the transition period and enables the manufacturer to tailor risk management strategies to specific use environments.

Planned and Coordinated Discontinuation: Ideally, the transition away from legacy devices should be carefully planned to ensure business continuity. Rather than allowing devices to remain in use indefinitely following loss of manufacturer support, manufacturers should provide healthcare providers with appropriate advance notification and work collaboratively to implement a phased transition to supported devices or alternative solutions. This coordinated approach helps ensure patient safety while minimizing disruption to healthcare operations.

Conclusion

Cybersecurity in medical devices is not a static requirement to be met at market approval and then forgotten. It is an evolving responsibility that extends throughout the product lifecycle and beyond. The integration of cybersecurity into risk management frameworks, active engagement with healthcare partners, responsible vulnerability disclosure, and proactive management of legacy devices all reflect the maturing approach that the medical device industry must adopt to protect patient safety in an increasingly connected healthcare environment.