The Persisting Risks Posed by Legacy Medical DevicesDaniel dos Santos of Forescout Discusses Device Security Progress, Weaknesses
Recently enacted U.S. legislation requiring vendors to design cybersecurity into medical devices is a good first step, but healthcare delivery organizations for many years to come will continue to face serious risks involving older equipment still in use, says Daniel dos Santos, who leads research at security firm Forescout.
The legislation, part of an omnibus funding bill signed into law by President Joe Biden in December, requires manufacturers to provide detailed assurance of device cybersecurity as part of their premarket product submissions to the Food and Drug Administration (see: Medical Device Security Provision Now Part of Spending Bill).
"Devices that are specialized, like connected medical devices, have a very long lifespan - in some cases it can be 20 to 30 years," dos Santos says in an interview with Information Security Media Group.
"We have to keep in mind that these new and hopefully more secure devices will be connected oftentimes on the same networks as devices that are less secure, which raises the risk to the network."
Many of these older devices often lack encryption, contain hard-coded credentials and pose other security concerns, he says. "Things may improve for the newer models and that's great, but these older devices will still be on healthcare delivery organization networks for potentially a long time in the future."
In the interview (see audio link below photo), dos Santos also discusses:
- Top cybersecurity vulnerabilities affecting medical devices;
- Security issues involving TCP/IP stacks used by connected devices, including many medical devices;
- The importance of effective asset inventory management in helping to better reduce medical device security risk.
Dos Santos has experience in software development, security testing and research and has published over 30 journal and conference papers on cybersecurity.