Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS)

When the Healthcare & Public Health Sector Coordinating Councils (HSCC) Legacy Task Group was originally instantiated, it was focused on legacy medical devices in particular as a source of risk. The group was called, in fact, the Legacy Devices Task Group.

However, devices are only a subset—a large and critically important subset, but a subset nonetheless—of the technologies within healthcare environments that can become legacy, and can pose legacy related cyber risks. To fully manage cyber risk in a modern healthcare environment, HDOs must consider FDA regulated devices, non-FDA regulated devices, laboratory equipment, building and facilities technologies, mortuary equipment, general information technologies, and many more. And because these technologies also age, becoming more vulnerable and/or unsupported, the same legacy pressures traditionally identified as affecting medical devices also affect these other technologies. Consequently, as the work continued, the group began considering legacy cyber risk in the broader context of “technologies,” and not just devices.

The recommendations made in the document are largely focused on one of two sets of stakeholders: Medical Device Manufacturers (MDMs) or Healthcare Delivery Organizations (HDOs). At face value, then, they leave out these other, non-regulated medical device technologies.