The Rising Threat of Cyberattacks in Healthcare: A Focus on Ransomware and Legacy Devices

In recent years, the healthcare sector has increasingly become a prime target for cyberattacks, with ransomware incidents making headlines and disrupting critical services. One notable case occurred earlier this year when a ransomware attack on the Ascension health system led to widespread system failures across multiple states. Pharmacies were forced to close, and clinicians had to revert to using paper records, highlighting the severe impact such attacks can have on patient care and safety.

The Growing Frequency of Cyberattacks

As the digital landscape evolves, so too do the tactics employed by cybercriminals. Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the FDA’s device center, noted the alarming rise in the frequency of these attacks. "These are becoming more and more frequent, unfortunately," she stated during a recent discussion at Advamed’s The Medtech Conference. The increasing reliance on technology in healthcare has made hospitals vulnerable, prompting regulators and medical device companies to collaborate on strategies to mitigate these risks.

In response to the growing threat, Congress passed regulations in 2023 that specify cybersecurity requirements for medical device manufacturers. The FDA also issued final guidance aimed at ensuring that future medical devices are designed with security in mind. However, while these regulations are a step in the right direction, they do not fully address the challenges posed by legacy medical devices.

The Legacy Device Dilemma

Legacy medical devices, which often run on outdated or unsupported software, present significant cybersecurity vulnerabilities. Schwartz emphasized that many of these devices are still operational in hospitals, performing their intended functions but lacking the necessary security updates to protect against modern threats. The FDA has observed submissions for new devices that rely on outdated operating systems, which are now prohibited under the new cybersecurity rules. "What we’re left with right now remains a huge challenge," Schwartz added, highlighting the ongoing risks associated with these aging technologies.

The issue is compounded by the phenomenon of "technical debt," where older devices are sold to smaller hospitals, perpetuating the cycle of vulnerability. Chris Reed, Medtronic’s senior director of cybersecurity policy, pointed out that this practice makes it increasingly difficult to secure the healthcare environment. "We keep passing the debt around," he noted, underscoring the need for a more sustainable approach to device management.

Strategies for Addressing Legacy Device Challenges

To tackle the legacy device problem, collaboration between medtech companies and hospitals is essential. Reed suggested that device manufacturers should adopt a forward-thinking approach when developing their products. "We’ve sometimes made some bad choices, frankly, around using consumer operating systems like Android for devices," he explained. Without a robust plan for updates, these devices can quickly become obsolete as operating systems evolve.

One potential solution is to design devices that do not rely on consumer operating systems, thereby simplifying the update process. Additionally, establishing a system for regular updates can help ensure that devices remain secure over time. Ashley Mancuso, who oversees product security for Johnson & Johnson Medtech, emphasized the importance of being able to patch devices promptly. The company has developed an accelerated patching process for updates that do not affect a device’s fit, form, or function, ensuring that security measures can be implemented swiftly.

The Role of Regulatory Bodies

The FDA recognizes that the challenge of aligning operating systems with medical devices is a complex issue that cannot be solved in isolation. Schwartz noted that the agency is working with the International Medical Device Regulators Forum, including Health Canada, to address these challenges collaboratively. "It’s a work in progress," she admitted, emphasizing the need for ongoing dialogue among stakeholders to develop effective solutions.

Conclusion

As cyberattacks continue to pose a significant threat to the healthcare sector, the need for robust cybersecurity measures has never been more critical. The recent ransomware attack on the Ascension health system serves as a stark reminder of the vulnerabilities that exist within healthcare infrastructure. While new regulations and guidance from the FDA represent important steps toward enhancing device security, the challenges posed by legacy devices remain a pressing concern. By fostering collaboration between medtech companies, hospitals, and regulatory bodies, the healthcare industry can work towards a more secure future, ultimately ensuring better protection for patient data and care delivery.