Cyber Risk Management for MedTech Legacy Devices | Ep. 44

In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery of Blue Goat Cyber delve into the complex cybersecurity challenges surrounding legacy medical devices. They define legacy devices as those cleared by the FDA under previous, less stringent cybersecurity guidelines, which are now widely deployed in healthcare settings but often lack modern security controls. The core problem, as discussed, is the infeasibility of simply replacing or redesigning these thousands of devices, many of which have hardware limitations that prevent simple software patches or updates. The hosts explore how medical device manufacturers can navigate this landscape from both a regulatory and a practical cybersecurity perspective. The main argument of the episode centers on the FDA's evolving approach to legacy device management. Slattery explains that the FDA is moving away from a one-size-fits-all requirement for complete security overhauls and toward a more nuanced, risk-based pathway. A critical concept introduced is the distinction between "uncontrolled risk" and "controlled risk." Uncontrolled risk refers to vulnerabilities that could lead to significant patient harm, making them unacceptable. In contrast, controlled risks are those with minimal, manageable impacts on patient safety that might be deemed acceptable. The hosts detail how this distinction affects the regulatory process: if a manufacturer makes a change to a legacy device unrelated to security (e.g., updating a clinical algorithm), they may be able to follow a reduced documentation pathway by providing a risk assessment, a Software Bill of Materials (SBOM), and a post-market management plan. However, if the change is security-related, such as altering a communication protocol, the device will likely be subject to the full, rigorous cybersecurity requirements applied to new devices, which could necessitate a complete redesign. The podcast concludes by emphasizing the need for a proactive, total-product-lifecycle approach to cybersecurity, extending from initial design to final disposal. Espinosa and Slattery advocate for manufacturers to be fully aware of the vulnerabilities in their legacy products through measures like penetration testing and maintaining a comprehensive SBOM. They argue that this awareness is only useful when it becomes actionable. This includes implementing a robust post-market surveillance and management plan to monitor for new threats and, crucially, communicating identified risks to the healthcare organizations using the devices. By doing so, manufacturers empower users to implement their own mitigating controls, such as network segmentation or firewalls, creating a collaborative defense against potential cyber threats and ensuring patient safety.

Christian: Hi, welcome back to the Med Device Cyber podcast. Today we're talking about medical legacy devices, Medtech legacy devices and some of the challenges with securing them from a cyber security perspective and what some of the regulatory bodies such as the FDA think about legacy devices and how you can come up with a strategy to help mitigate some of the risk associated from a regulatory perspective as well as as a cyber security perspective. Christian: I'm your host Christian Espinosa and I'm here with our co-host Trevor Slattery. He's joined us from his tiny apartment in San Francisco because for some reason he decided to move to California. How's it going today, Trevor? Trevor: Well, it's going great. And let me tell you why I decided to move to California. I just got off the Rubicon this weekend, had a blast out there in the desert, in the rocks. Um, going out fishing, going out on the Jeeps, and it was only a two-hour drive from here. So. Christian: We have plenty of desert and rocks here in Arizona. Trevor: But you don't have the most famous off-roading trail of all time. Christian: Is that where they named the Jeep, that one version called the Rubicon? Trevor: Yeah. Yeah, the Rubicon was an old, um, old trading route from Reno to Sacramento, way, way, way, way, way back, hundreds of years ago. And then everyone got super into bashing Jeeps against the rocks in it. So took us six and a half hours to go five and a half miles on it. That's the kind of pace that we're making on that trail, but. Christian: Was that on your Jeep or did you rent a Jeep? Trevor: No, that was on my buddy's Jeep. He's got super customized Wrangler. My, uh, my little traffic cone suburban Jeep would not get up there. Christian: I didn't think so. Awesome. So what should, uh, medical device manufacturers know about these legacy devices from a regulatory and a cyber security perspective. Trevor: Well, there are a couple of big things going on with some shifts that we're seeing in how the FDA, the regulators are handling legacy devices, what really needs to go into that. Um, and one great thing that happened pretty recently is some changes to the FDA's guidance on cybersecurity as well as changes into what's accepted as part of eSTAR. Trevor: And so we'll dive into all of those specific changes in a bit here, but I'll step back a little bit and talk about the legacy device problem. So legacy devices are essentially considered anything that was cleared and approved under or just cleared, not approved, under previous guidance before September of 2023, meaning that modern cybersecurity controls and guardrails have not been put into the device. Trevor: There's an issue with these devices have already been cleared, they're on the market, they're in hundreds or thousands of hospitals. We can't just say we have to clean all these up and try to fit them to new cybersecurity standards. Some of them might not even be capable of it. So what do we do to fix this problem? Trevor: The FDA is looking at some pathways to try to bridge these devices closer and closer to modern requirements without needing to effectively redesign and start over. So, that's kind of the background on where we're coming into with the problem. And then it's going to be a little bit implementation specific for the solution, but in general, it's just figuring out how can we make old devices a little bit more safe and a little bit more secure, since they aren't always up-to-code with the modern standards. Christian: Yeah, and a lot of people think, well let's just replace all those devices with newer ones, but that's a larger problem than most people realize because it's not just a, a replace, uh, and just assume everything's going to be fine. You also have to train all the staff on how to use a new device. There's a big learning curve. A lot of healthcare delivery organizations don't want to pay for new devices. So it's a bigger problem than just like patching, like we typically do in IT and, uh, or updating a device. Trevor: Yep. And that's a big part of it, is we can take some examples. The easiest one is encryption. Since encryption, it's a bit of an arms race between computing power and encryption strength. The stronger computers get, the easier it's going to be for them to break certain types of encryption, but then new encryption gets stronger since there are new computer processors that can encrypt and decrypt information faster. So, it's a little bit of an arms race in that regard. Trevor: If we look at a device that was cleared, let's say 20 years ago, using encryption that was state-of-the-art back then, that's most likely going to be considered wildly insecure now. But the hardware that that device is on probably does not even support modern encryption. So you can't just fix the device up to modern standards. You have to bridge the gap a little bit. Trevor: I think the direction that the FDA is going, and I'll talk a little bit about some of the changes they made to their guidance and then eSTAR. In their guidance, they're leaning a bit more into the idea of controlled versus uncontrolled risk. Christian: So, can we back up one second? Uh you said controlled and uncontrolled risk. Uh could could you kind of define those in a, in a roundabout manner, but could you explicitly define how the FDA views controlled versus uncontrolled in terms of patient safety? Trevor: Definitely. So, uncontrolled risk is a situation that could happen within the product that poses a significant threat to patient safety, patient data, something that we're trying to protect within that system. It could be PHI, PII, or just general safety for the individual. Trevor: This is going to depend on what the device is. We'll take for an example, we'll say an oxygen pump. There's not really too much that can go wrong. So it's not going to be on a specific vulnerability. It's going to be on what is the outcome of that problem. If a thousand things go wrong with an oxygen pump, it's probably not going to deliver oxygen anymore, but it's not realistically going to hurt an individual. If there's a pacemaker and pretty much anything goes wrong, that could lead to the individual dying pretty quickly. So it is based on the outcome as opposed to the input that leads to the outcome. Trevor: That is what we're mostly looking for. So uncontrolled risk is a situation that is dangerous based off of the context and use case of the product. Controlled risk, there's still some potential issue present. So we might say with that oxygen pump, if you try to pair to it with a Bluetooth companion app a thousand times repeatedly over a couple of seconds, it'll just freeze up for five minutes. Trevor: While that is not an ideal situation, the oxygen pump not working for a couple of minutes when you're trying to start it up is not realistically going to be a dangerous situation. So the manufacturer might make the argument, well, we see this as controlled risk since while there is still some potential risk present, it's fairly slight. We can't see this is causing significant harm to a patient or to their data. Trevor: So, that's what we're looking at with uncontrolled and controlled risk. The FDA is leaving it up to manufacturers to define exactly what those different situations are in their product, talk about how they're assessing uncontrolled risk, and what they're going to do about it in the future. So, when the FDA is talking about these different pathways, it's partially to help legacy devices that need changes made, not have to go through these major cybersecurity overhauls. So, for an example, let's say there's a legacy medical device that was cleared six years ago and the manufacturer wants to make some changes to the clinical algorithm in the product. You're going to have to go through new clinical validation with that device. Generally, is going to mean you have to go through a new 510K. Trevor: If this was the same time last year, they would have to start from scratch with all of their cybersecurity considerations. This could lead to a complete redesign of the product. It's not an ideal situation. The FDA is now saying, okay, we get it, some of these legacy products need to make other changes. If you're doing that, here's what we see as a good effort for cybersecurity. And that goes into the eSTAR changes. The FDA is going to want to see for these legacy devices with changes not relating to cybersecurity, generally those would be authentication updates, data flows. You can go through that uncontrolled risk assessment, talk about what your plan is for ongoing post-market maintenance and monitoring and provide a software bill of materials as a reduced burden pathway. Trevor: So that's the shift that the FDA is trying to make to get manufacturers to do, I don't want to say a good enough job, but essentially just cover some baselines for security without needing to do costly redesigns that could potentially take valuable products off the market. Christian: So we're looking at effectively a way to raise the awareness of the risk of the existing legacy devices while allowing them to exist on the market with other types of updates that are applicable because the cybersecurity update may not even work. Uh, it may break the device. Trevor: Exactly. Now, this does change when we're making changes that would affect cybersecurity. So, we'll take an example. We're going to say, you have a pacemaker that has historically used Bluetooth for any communications. And now you're changing it to a Zigbee communication for, or whatever your new protocol is. That shift does change the risk profile of the device. That is going to require the full set of typically expected documentation, testing, and effort to prove that device is secure, since you are making changes that are relating to cybersecurity, you might as well be doing them correctly. Trevor: So the FDA does draw the line on when you're making some changes that could impact this risk, you need to make those changes correctly. It's more only when you're making device changes that have no impact on the security posture, you can get away with your previously existing design and development there. Christian: I know we've had several clients that come to us and from a legacy device perspective, uh what we do is put them on a post market management plan. So like you said, we do a penetration test so they know what the modern risk are against the device. So they have that awareness. and we also do the software bill materials as well. Christian: So it, I think it's important that we do something with these legacy devices even if we're saying, you know, you don't have to do all the cybersecurity things. I think from an awareness perspective it's important to know what the actual risk are, especially in with a push towards transparency with our devices to the users of the devices. What are your what are your thoughts on that? Is that like the good, would you say the best practice? Trevor: Yeah, I think the direction we're going, it's a very hard problem to solve. Figuring out how to get all these legacy devices up to modern security standards and there isn't really a perfect solution right now. I think we're going in the right direction. The ideal situation is, is just doing a full retrofit of all these products, but it's unreasonable to say we're going to tear out everything that is less than two or more than two years old and redo it. No, that's not going to happen. Trevor: So I think we're going in a good direction, and things like penetration testing to say, hey, this is what you need to be aware of. These are the risks in the device. Even going into your uncontrolled risk assessment for some of these, uh, legacy devices with minor shifts, you need to figure out what those risks are. You need to do that somehow. Penetration testing is a great way to do that, as well as any of the other security testing activities that the FDA recommends. Trevor: We're getting things, the post market management plan is where we're really trying to get things to, uh, work continuously. The post-market management strategy for a medical device is not saying, these are all of the controls that we built into a product to ensure that it's hardened against attack. It's saying, this is what we're doing to keep an eye on things once it's in the field. Trevor: Here's how often and what type of testing we're doing on the product. Here's what different feeds and resources we're monitoring to be aware in case of a problem. Here's what we're doing as far as tracking known exploited vulnerabilities that are going to have critical impacts within our device out of the software bill of materials. I think it's a great direction that the FDA is going, and it's a good start. I'd like to see things shift into a more all-encompassing security perspective, but I think the direction that we're going right now is really solid progress for sure. Christian: I agree. Plus if you're aware of the risk with your device, you can communicate that to whoever's using your device and come up with some mitigating controls as well. Like if your device has some network vulnerabilities, then you could recommend that as a way to mitigate that is put behind a firewall at the at the hospital for instance or it's put in an isolated segment. There's things you can do to mitigate the risks that might be discovered with a legacy device uh and and that could be the whoever's using the device up to them to mitigate that or not. Trevor: And that's the big thing, is how are you figuring out that these are problems? And that goes back into your post-market management plan. You have to say, a headache, a sub-heading in e-star for your cybersecurity management plan, which is your post-market strategy, is periodic security testing. When are you doing testing, what kind of testing are you doing, what different design inputs are going to lead to testing, what is, you know, going to happen no matter what? Trevor: And if you aren't doing these types of activities, you're never going to figure out what's wrong, and a bad guy can figure out, a criminal hacker can find the vulnerability first if they're actively researching this security of this device and your team is not. And that's obviously the worst case scenario is for criminals to understand how to attack this device without anyone else being able to figure that out first. Christian: Yeah, and I've been in this industry for quite some time, and this goes even to like the disposal of a device. I know several devices we worked on in the past, the hospital basically just got rid of them to whoever wanted them. They ended up on eBay back in the day and people would buy them to do the research, reverse engineer it so they could then attack all the other devices that were deployed like you like you mentioned. So if the manufacturer did that ahead of time, and they understand the risk before the criminal does, then they're better prepared to inform their user base about that risk and come up with a strategy to mitigate it. Trevor: Yeah, and that, that problem is still a question that comes up during client conversations. Actually, just last week I was talking about that, is what do we do if a hospital just throws our device away? Well, we have to talk about, you know, what is in the device for starters, when our physical controls good enough versus labeling controls. But it's all part of that total product life cycle approach that the FDA really, really encourages instead of just one and done security. You start the second you have the idea for the product and you finish all the way down to when it's being recycled, thrown away, you're done with it. You need to have security covered every single step of the way. Trevor: And so I think the FDA is trying to say is, okay, well this is our new stance. We get it. You maybe didn't do it at the beginning before, but you're sure going to do it towards the end now that you're trying to make any changes to the device. So we're starting, you know, the best time to start would have been yesterday, but the second best is today. So that's when we're trying to start and make sure that you're good into the future. Christian: That's right. from design to disposal, I like to say is where cyber security should come into play. Trevor: We should get that on shirts. That'd be good. Christian: Cool, and we we can get some more t-shirts later as well. We'll put that on there. Alright, any uh let's, let's wrap this one up here, coming up on time. Uh, so if I'm a medical device manufacturer with legacy devices, what's a words of advice summed up in two sentences? Trevor: Understand your changes and go accordingly. If you're making security specific changes, you're going to have to bite the bullet and go through the full security process. If you can go down the reduced documentation and reduced burden pathway, then the FDA is giving you these options, they're trying to work with legacy manufacturers. So you have more options now and it's the perfect time to take advantage of those opportunities. Christian: Well said. Be informed and make the right decisions which dictates how much work you have to do on the back end and what submission pathway you may or may not have to do. Trevor: Exactly. Christian: Awesome. I'll throw you over to you for any more last minute words of wisdom one more time here. Trevor: Well, I'm going to say that make sure that your device, don't leave your device out in the rain. Don't try to forget about it, don't try to just let it get through. Covering these security problems earlier is going to be a lot better than just waiting until the end, waiting until it becomes an enforceable problem. So, try to get ahead of these things. The FDA, it's clear the path they're going and they're trying to give some easy options to getting things right now before things get more complicated. Christian: I agree with that 100%. I think awareness is important. So doing a penetration test against a legacy device to understand what the real risk are. Um, having the software build materials figured out so you understand what the risks are with third-party libraries. And making that awareness actionable. So, if there's a step you can take to help mitigate anything discovered by working with the healthcare delivery organization, I think that is important. I think awareness is useless unless you can make it actionable. So that's my last minute words of wisdom here. Christian: Awesome. So thanks everyone for tuning into the Med Device Cyber podcast. We hope to see you on the next one. We hope you found this one valuable.