Skip to main content

Managing Legacy Technology Security

March 2023
A comprehensive guide to address the management of cyber risk caused by legacy technologies used in healthcare environments. It recommends cybersecurity strategies that both manufacturers and health providers can implement for legacy medical technology as a shared responsibility in the clinical environment and provides insights for designing future devices that are more secure. A brief summary is found here and click here for a Quick Reference Guide. Also, HealthCareInfoSecurity Webinar on HSCC Guide for “Managing Legacy Technology Security“.

Health Industry Publishes

“Health Industry Cybersecurity-Managing Legacy Technology Security”

Washington, D.C., March 2, 2023 – The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) today published “Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS)” – a comprehensive guide to address the management of cyber risk caused by legacy technologies used in healthcare environments.   It recommends cybersecurity strategies that manufacturers and health providers can implement for legacy medical technology as a shared responsibility in the clinical environment, and provides insights for designing future devices that are more secure.

Concurrently, the White House released its “National Cybersecurity Strategy” today which envisions an increased emphasis on protecting the nation’s critical infrastructures from cyber threats and incidents.  The HIC-MaLTS addresses that emphasis through a rigorously-negotiated program of cybersecurity management and accountability between health delivery organizations and medical technology companies involving legacy medical systems in the clinical environment.

Who should use it?

The HIC-MaLTS details best practices and recommendations in modular and actionable format for medical device manufacturers (MDMs), healthcare delivery organizations (HDOs), and other technology providers whose products are used in healthcare environments.

What does it cover?

HIC-MaLTS covers, among other things:

  • The “Core Pillars” of a comprehensive legacy technology cyber risk management program:
    • Governance: How should healthcare stakeholders govern to ensure effective legacy technology cyber risk management?
    • Communications: Internally, to their customers, regulators, and the public—how should organizations communicate to manage legacy technology risk?
    • Cyber Risk Management: For current and future legacy technologies, how should organizations manage cyber risk to limit current risk and avoid or minimize future risk?
    • Future Proofing: How should MDMs and other technology providers design, deploy, and maintain their technologies to avoid or lessen legacy technology risks?

Document Development Process

The HSCC task group that developed this resource consisted of 65 organizational members co-led by Intermountain Healthcare, Elekta, and FDA.  The work process involved 3 years of engagement, negotiation and drafting among health delivery and medtech companies, demonstrating a collaborative commitment to the principle of shared responsibility.  The result was compromise, consensus and actionable practices that ultimately will increase security, lower costs, and protect patient safety.  

About the Health Sector Coordinating Council Cybersecurity Working Group

The Healthcare and Public Health Sector Coordinating Council (HSCC) is a coalition of private-sector critical healthcare infrastructure entities organized under a national public-private partnership framework to partner with and advise the government in the identification and mitigation of strategic threats and vulnerabilities facing the sector’s ability to deliver services and assets to the public.  The HSCC Cybersecurity Working Group (CWG) is a standing working group of the HSCC, composed of almost 400 industry and government organizations collaborating to develop strategies to address emerging and ongoing cybersecurity challenges to the health sector.

The HIC-MaLTS document can be downloaded at https://healthsectorcouncil.org/wp-content/uploads/2023/03/Health-Industry-Cybersecurity-Managing-Legacy-Technology-Security-HIC-MaLTS.pdf.

All 17 of the HSCC Cybersecurity Working Group publications of leading practices and recommendations are available as a free public service at https://healthsectorcouncil.org/hscc-publications/.  Additional forthcoming publications over the next quarter include:

  • Joint Publication with HHS on health sector implementation of the NIST Cybersecurity Framework
  • Medical Device Joint Security Plan v2, updating product security strategies for designing and building security into medical technology
  • Healthcare Enterprise Incident Response Plan
  • “Cybersecurity for the Clinician” video training series for practicing clinicians and students in the medical profession.

For more information or questions about joining the HSCC as a health industry organization, contact Greg Garcia, HSCC Cybersecurity Working Group Executive Director:

 Greg.Garcia@HealthSectorCouncil.org, or visit us online at https://healthsectorcouncil.org

View Press Release

View Summary