Guidance on Managing Legacy Medical Devices and Advisory Against Rhysida Ransomware Attacks

FDA Releases Guidance on Managing Legacy Medical Device Cybersecurity Risks

The U.S. Food and Drug Administration (FDA) has released a report that recommends how to handle the cybersecurity problems of legacy medical gadgets. Legacy medical gadgets are considered devices that are not reasonably protected against present cybersecurity risks, although they may still sufficiently do their main functionality and have a good life past the stated end-of-life or end-of-support date.

Whenever medical devices get to end-of-life, no more patches are released to resolve vulnerabilities. Unpatched vulnerabilities could be used to acquire access to the gadgets and systems to which they are hooked up. Most of the time, the device vendors are unable to continue issuing software program patches because of obsolete technology and compatibility problems. Healthcare delivery organizations (HDOs) may be unable to upgrade them because of the high expense. When the devices are discontinued from use, it may have serious effects on patient safety and medical procedures.

Medical gadgets are governed by the FDA, which was assigned by Congress in 2022 to guarantee the cybersecurity of medical gadgets. The FDA has now released final guidance about premarket submissions for medical gadgets, which should now satisfy the minimum requirements for cybersecurity to be authorized for use in the U.S. by the FDA. Although the final guidance looks at cybersecurity problems related to new medical gadgets that are available in the market, it does not deal with the cybersecurity of the countless devices that are currently used in hospitals throughout the United States.

The FDA hired MITRE to make a report on legacy medical gadgets, which were legally marketed and had cybersecurity settings that were good on purchase but could not be reasonably secured. These devices must be replaced; nevertheless, the matter is complicated, and it should be handled in a way that diminishes negative effects on patient care and safety.

To create the report, Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks, MITRE evaluated medical device companies, healthcare companies, and cybersecurity specialists to determine possible solutions for minimizing the cybersecurity risks related to legacy gadgets, and the report contains strategies for cutting down cyber issues for hospitals without having the resources and finances to upgrade the devices. The suggestions deal with the difficulties of shared accountability over the medical gadget lifecycle, vulnerability control, workforce advancement, and mutual support for less-resourced healthcare delivery organizations (HDOs).

The 8 suggestions included in the report are:

  • Selection of quantitative and qualitative information to permit HDOs and medical device manufacturers (MDMs) to decide about the problems and costs of replacement compared to the extended usage of legacy devices.
  • Creation of data-sharing agreement templates to enhance transparency and be sure the right expectations are integrated for handling legacy medical device security issues.
  • Designation of a security architecture working team along with stakeholders to determine and prioritize safety controls that could be put in place within an HDO’s system to enhance cyber risk control.
  • Creation of a research plan in modular layout for medical devices. When medical devices were made to be modular, HDOs can have the choice of changing legacy software or hardware parts instead of having to completely change devices.
  • Performance of research on vulnerability management coordination to discover solutions to simplify and enhance vulnerability management procedures, which can be expensive and resource-intensive.
  • Development of proficiency models for roles associated with legacy cyber risk supervision to assist HDOs with fewer resources and aid employees’ training.
  • Engagement in mutual support partnerships, which include ad-hoc relationships, state/local government partnerships, and private sector partnerships.

Feds Published Updated Mitigations for Stopping Rhysida Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory about Rhysida ransomware.

The ransomware-as-a-service (RaaS) operation known as Rhysida ransomware first appeared in May 2023. The ransomware group carries out double extortion tactics, including stealing data and encryption, with ransom payment demanded to get the decryption keys and stop the public exposure of stolen information. Researchers at Check Point observed Rhysida ransomware to be very similar to Vice Society, one of the most respected ransomware gangs since 2021 that boldly attacked the education and healthcare industries.

In August 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) released its own alert concerning Rhysida ransomware after a number of attacks on the healthcare industry, which include the attack on Prospect Medical Holdings, which impacted 17 hospitals and 166 clinics throughout the United States. The most recent cybersecurity alert consists of news on the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IoCs) from malware studies and the latest incident response inspections to assist network defenders and incident response groups in discovering and prohibiting ongoing attacks.

Rhysida ransomware actors were noticed utilizing a number of techniques for getting preliminary access to networks of victims, which include using external-facing remote services like virtual private networks (VPNs), frequently by using exposed credentials. These attacks were successful against companies that did not apply multi-factor authentication for VPN connections. Rhysida threat actors have additionally taken advantage of unpatched vulnerabilities, like the Zerologon (CVE-2020-1472) vulnerability in the Netlogon Remote Protocol of Microsoft, and frequently use phishing emails. As soon as preliminary access is attained, the group usually establishes Remote Desktop Protocol (RDP) connections for lateral activity, creates VPN access, and utilizes PowerShell and native network administration resources to execute operations, which allows them to avert discovery by concealing their activity inside normal Windows systems and activities.

The FBI, MS-ISAC, and CISA recommend a number of mitigations for strengthening security, which include steps that could be taken to prevent the primary attack vectors, limit lateral movement, and identify ongoing attacks. These consist of enabling phishing-resistant multifactor authentication, particularly for VPNs, webmail, and accounts that access important systems; deactivating command-line and scripting activities and permissions; limiting the usage of PowerShell; improving PowerShell logging and logging inside processes; limiting the usage of RDP; and obtaining remote access via application settings.