“Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks” identifies near-term solutions to address the challenges posed by legacy medical devices, including considerations for adoption by less-resourced healthcare delivery organizations, such as rural providers and safety-net hospitals.
Over the past several years, the healthcare sector has worked on addressing the challenges posed by legacy medical devices, devices which still perform their primary function but may be vulnerable to cybersecurity risks. The Food and Drug Administration asked MITRE to develop a white paper that builds on this work, focusing on near-term solutions, providing advice on operationalizing key recommendations from the previous work, and including considerations for implementation by less-resourced healthcare delivery organizations (HDOs), such as rural providers and safety-net hospitals.
Working with a small group of stakeholders, including HDOs, medical device manufacturers, general purchasing organizations, distributors, hospital accrediting organizations, and federal agencies, MITRE identified the challenges in adopting the processes developed in the previous sector work, and developed several recommendations to address them, including shared responsibility over the medical device life cycle, vulnerability management, workforce development, and mutual aid. We proposed studies and pilots to drive adoption and recommended creating templates, standardized information, and processes to help less-resourced HDOs manage the risks posed by their legacy medical devices.