MITA backs investigation into security of legacy medical devices, offers policy guidance

The Medical Imaging and Technology Alliance (MITA) submitted formal comments June 11 to the Energy and Commerce Committee applauding the organization’s investigation into medical device vulnerabilities and outlined suggested policies to advance cybersecurity for legacy medical imaging equipment.

Patrick Hope, executive director of MITA, urged in his letter that protecting healthcare systems against cyberattacks is a shared responsibility among device manufacturers, government agencies, health delivery organizations (HDO)’s and other stakeholders.

He specifically addressed the disparity between clinical and digital lifetimes of medical imaging devices which he described as a “unique [and] significant challenge.” For example, the clinical lifetime of an MRI machine can span decades, while manufacturers may only be able to provide digital security on these devices for a few years, Hope wrote.

This security chasm creates tension and shared financial burden between HDO’s, manufacturers and public agencies that must be dealt with in a collaborative way, he wrote.

In addition to exploring ways to increase collaboration with HDOs, Hope listed the following policies which MITA believes are worth considering to address medical device cybersecurity:

  • Develop life cycle definitions using existing industry standards, such as NIST 800-64, to ensure consistency and encourage industry collaboration.
  • Offer incentives to upgrade systems that utilize obsolete operating systems, unsupported third party commercial software and outdated hardware.
  • Clear manufacturer communication of key dates that include how long a product can expect support based on both software and hardware life cycles.
  • Clear recognition that no security support should be expected for any medical device past the end of the support date established for that product.
  • Clearer guidelines from international regulatory bodies responsible for medical imaging devices dependant on qualifying security updates without imposing lengthy and costly verification and validation testing.

“We feel strongly that digital connectivity is critical to today’s health care systems, and therefore it is incumbent upon all involved to proactively utilize existing protections, and take advantage of opportunities for collaboration to improve the cybersecurity of legacy medical devices,” said Hope in a MITA statement.