Many medical device security architectures would not stand up to regulatory scrutiny today; the standards have changed. These "legacy" products are causing cognitive dissonance in medtech cybersecurity, preventing the changes necessary to build according to reasonable current standards.
We used to have cars without seatbelts and airbags. That was then, this is now.
We used to let people smoke inside, around babies. That was then, this is now.
We used to build medical devices that could not be reasonably secured throughout their lifecycle. That was then, this is now.
Except, over and over, I feel like we're in the 2010s, before I knew medical device cybersecurity was a "thing," before we had draft FDA guidances on cyber before we could add asymmetric encryption on tiny chips, before the SBOM, before the Omnibus bill, before cloud connectivity at the hospital bedside.
Why? There are many reasons. It's hard to change development lifecycles. It is hard to convince very large organizations to make very big changes that will require significant investment and uncertain returns. It's hard to get very small companies with existentially low funding levels to invest in "shifting left" and secure by design.
One of the reasons, though, is cognitive dissonance, and there's a relatively easy fix. For companies with existing products, the cybersecurity team has to work on "legacy" products knowing that they cannot be reasonably secured. They write SOPs that have to apply to both current and future products. It is wholly unreasonable to expect to be able to create new, reasonable cybersecurity quality practices that will stand up to future scrutiny while also expecting the legacy products to adhere to the same new practices. And yet, I have seen it over and over again. For example, several large companies are trying to create one new vulnerability management process that will apply to the old and the new products. It is impossible to do this well. This causes cognitive dissonance, which kills creativity and motivation. What will work in the future will make the current, money-making legacy devices today look bad.
And that is okay. FDA has been loud and clear about legacy tech; risk assessment isn't one-size-fits-all. But teams are still trying to resolve the conflict between the old and the new with single solutions that cover both. Which is impossible. How do we resolve this? Leadership.
Medtech Leaders: Tell your teams to separate the old and the new. Create a clean break. Set software and cyber quality expectations for newer products that can be reasonably and regularly updated, and give a grace period to the legacy products (even if they're still being sold). Free your overworked, overstressed, cybersecurity pros from the cognitive dissonance of trying to achieve a one-size-fits-all approach to security. After all, we can't "shift left" retrospectively. We can only do better now and in the future.
~Shannon, the Optimistic Optimizer