Securing Legacy Medical Devices Beyond Patching
▼ Summary
– Hospitals should isolate legacy medical devices by restricting network access to only trusted traffic when patches are unavailable.
– Close collaboration with vendors is essential to develop phased replacement plans for outdated systems and reduce security risks over time.
– Healthcare organizations should adopt proactive, risk-based security approaches that go beyond compliance to prioritize education and informed risk decisions.
– Security principles from other industries, like limiting connectivity and standardizing technologies, can strengthen medical device cyber resilience.
– AI-enabled medical devices introduce risks related to data quality and integrity, requiring safeguards for data protection and transparent decision-making.
Securing legacy medical devices presents a unique challenge for healthcare organizations, especially when these critical tools no longer receive security patches. During a recent discussion, Patty Ryan, Senior Director and CISO at QuidelOrtho, explored how hospitals can protect aging systems, improve collaboration with vendors, and implement forward-looking, risk-based security strategies. She also addressed the growing cybersecurity implications as AI-powered and connected medical devices become increasingly common in clinical settings.
When asked how hospitals should manage legacy systems that are no longer supported with patches, Ryan outlined two primary approaches. She emphasized that completely removing a medical device from service is often impractical. Instead, she recommends building strong protective barriers around the device, ensuring that only authorized and verified network traffic can communicate with it. Her second point stressed the importance of working closely with equipment vendors to identify potential upgrade options. Most manufacturers prefer that their clients avoid using outdated technologies that increase security vulnerabilities. If a device is too old to secure properly, that situation represents a significant concern. Ryan advises healthcare providers to initiate conversations with their vendors early, openly discussing budget limitations and project timelines. This transparency allows vendors to develop a structured, phased plan for replacing older systems, thereby gradually reducing the organization’s overall security risk.
On the topic of balancing compliance requirements with proactive security measures, Ryan noted that a risk-based approach actually supports compliance goals. Regulatory frameworks validate that essential security controls are in place, such as patch management, access controls, and system monitoring for incident response. The objective for healthcare organizations should be to advance beyond simply checking compliance boxes. They can achieve this by adopting proactive security practices, investing in continuous staff education, and making deliberate decisions about which risks to mitigate and which to accept based on their specific environment.
Ryan also considered whether healthcare could learn from security practices in other sectors like critical infrastructure or Internet of Things (IoT) security. While every industry confronts distinct threats, the foundational security principles are universal. Whether dealing with IoT sensors, Bluetooth devices, or networked medical equipment, the core requirements are consistent: thoroughly understand your digital environment, restrict unnecessary connections, and design systems for resilience. Hospitals often operate tens of thousands of interconnected devices with varying risk levels and connectivity. The focus, she suggests, should be on simplifying this complex landscape by standardizing technologies, collaborating with vendors to reduce the number of different device types, and applying uniform security controls. She pointed to the manufacturing sector as an example, where cyber resilience is crucial for minimizing disruption to production lines and the wider supply chain. A single security breach should not have the power to halt entire operations. Nevertheless, many organizations continue to operate forgotten, obsolete systems. Retiring these legacy assets, streamlining the technology environment, and continuously identifying and managing risk are vital steps.
Regarding collaboration among regulators, vendors, and healthcare providers to tackle systemic risks, Ryan observed that meaningful progress has occurred when technology companies voluntarily commit to building cyber resilience directly into their products from the design phase. Unfortunately, this momentum has not always been sustained. In her view, the most effective advances often stem from industry-led initiatives rather than mandated legislation, especially when organizations independently choose to prioritize security. Cyber risk is a permanent fixture, yet it frequently remains underestimated and inadequately addressed. If security becomes a competitive advantage, a feature that customers actively seek when selecting technology, it could motivate vendors to innovate. A collective effort to decrease cyberattacks benefits everyone, allowing resources currently dedicated to ransomware response to be redirected toward enhancing patient care and outcomes.
Looking ahead to the proliferation of AI-enabled and connected devices, Ryan highlighted new security considerations. AI possesses significant power but lacks human judgment, and its effectiveness is entirely dependent on the quality of its training data. People often overlook the backend infrastructure that supports AI systems. The primary risk lies not in how the AI functions, but in the potential for the data fueling it to be inaccurate, biased, or harmful. A comprehensive, end-to-end security perspective is essential, covering how data is gathered, protected, and used to train and validate models. Clean, reliable data is more critical than ever for mitigating emerging security threats. Protecting data integrity and ensuring transparency in AI-driven decisions will be fundamental to maintaining patient safety as these advanced technologies become deeply embedded in healthcare delivery.
(Source: HelpNet Security)
