HSCC Issues Guidance for Healthcare Organizations on Managing Legacy Technology Security
This month, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) published guidance to help healthcare delivery organizations effectively manage cyber risks associated with legacy technology. In healthcare, a great deal of attention has been focused on addressing cybersecurity risks associated with legacy medical devices, but they are not the only type of legacy technology in use in healthcare environments. Many different technologies are used that similarly become more vulnerable as they age, and continue to be used after end-of-life has been reached and support is withdrawn. Technologies include FDA-regulated devices, non-FDA-regulated devices, laboratory equipment, building and facilities technology, and a host of other technologies.
While the obvious solution from a security perspective is to upgrade to modern, supported systems ahead of the technologies reaching end-of-life, that is often not practical or possible. Instead, healthcare delivery organizations need to effectively manage the risks associated with these technologies. Vulnerabilities in these technologies can be exploited by malicious actors, which can threaten patient privacy and patient safety. Unfortunately, many healthcare organizations that use legacy technologies have limited staff and resources to devote to protecting these technologies, which means vulnerabilities can persist indefinitely.
The guidance – Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS) – details best practices and makes several recommendations for healthcare delivery organizations, medical device manufacturers, and other technology providers whose products are used in healthcare environments. The guidance explains that all of these entities have a shared responsibility to ensure legacy technologies can be used securely in clinical environments while staying one step ahead of modern cyber threats. HSCC encourages healthcare delivery organizations, medical device manufacturers, and other technology providers to work together to effectively manage risk.
The guidance is the result of three years of work by 67 industry and government member organizations, including healthcare delivery organizations, medical device manufacturers, trade groups, government representatives, security experts, and health IT companies. The guidance covers the four core pillars of a comprehensive legacy technology cyber risk management program: governance, communications, cyber risk management, and future-proofing legacy technologies, and includes general and specific recommendations for each of those pillars in an easily actionable format.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
