April 3, 2023

Can You Teach Legacy IoMT New Tricks?  

In the ever-changing world of IoT, early adopters of this technology, including many medical and manufacturing organizations, are finding that the devices they so heavily invested in are now less secure than ever.  

You might think that the only solution is to replace existing technology with new greenfield devices, but is there a way to extend the life of existing equipment, minimizing the cost of new technology and the overall impact your corporation has on the environment?  

What are Brownfield IoMT Devices? 

Brownfield IoMT devices refer to medical devices or equipment that have already been deployed or are currently in use. 

Retrofitting brownfield IoMT devices can be challenging because most of them have been designed without IoT capabilities. However, retrofitting these devices can offer several benefits, including the ability to monitor patients remotely, streamline data collection and analysis, and ultimately improve the hospitals’ experience and reduce time to achieve desired patient outcomes. 

Some examples of brownfield IoMT devices include legacy medical equipment such as ECG machines, infusion pumps, and patient monitors, which have been updated with IoT sensors and software to enable remote monitoring, data collection, and analysis. Often IoT gateways are used to improve connectivity capabilities. Retrofitting these devices can help healthcare providers better manage patient care, reduce the risk of errors, and enhance overall patient safety. 

Overall, the goal is to reduce downtime, lower field service costs and improve patient safety.  

Grandfather Clause 

The IoMT grandfather clause refers to a provision that exempts certain medical devices from complying with new IoT regulations if they were already in use before the regulations were put in place. This provision is often included in regulations related to the security and privacy of IoT-enabled medical devices. 

The grandfather clause is intended to provide some flexibility for medical device manufacturers and healthcare providers who are already using older devices that may not meet the new regulations. By exempting these devices from the new regulations, manufacturers and providers can continue to use them without incurring the cost of retrofitting or replacing them. 

However, it’s important to note that the grandfather clause does not exempt medical devices from all regulations. It typically only applies to specific regulations related to IoT security and privacy. In some cases, older devices may still need to be updated or replaced to comply with other regulations related to medical device safety and efficacy. 

Overall, the IoMT grandfather clause is intended to strike a balance between protecting patient privacy and ensuring that healthcare providers can continue to use existing medical devices without interruption. 

FDA Cracking Down on IoMT from the End of March 2023 

The FDA (U.S. Food and Drug Administration) has recognized the importance of brownfield IoMT devices in the healthcare industry and has issued guidance for the development and regulation of these devices. 

The definition of brownfield IoMT devices used by the FDA states that they are “medical devices that are already on the market, have a proven clinical benefit, and have been in use for some time, but have been modified with additional software or hardware to allow for connectivity and advanced functionality.” The agency acknowledges that these devices may have limitations in terms of their cybersecurity and data privacy features, but that retrofitting them with IoT technology can improve patient outcomes and reduce healthcare costs. 

Overall, the FDA’s guidance on brownfield IoMT devices is intended to facilitate the development and adoption of these devices while ensuring that they are safe, effective, and protect patient privacy. 

In December 2022, The FDA announced a list of documents they planned to publish in 2023 showing an overall crackdown on all IoT devices, including the following: 

  • Remanufacturing of medical devices 
  • Cybersecurity in medical devices: Quality system considerations and content of premarket submissions 
  • Fostering medical device improvement: FDA activities and engagement with the Voluntary Improvement Program 

Medical devices that fall under the definition of “cyber devices” now have to comply with specific cybersecurity requirements, this includes post-market monitoring, fixing vulnerabilities, and providing updates and patches to devices that are in the wild. The “Refuse to Accept” gives the FDA the ability to reject submissions that do not meet these standards. The policy comes as the number of cyberattacks targeting medical devices continues to rise, overall it aims to ensure patient safety, the best performance of the device, and that cybersecurity is a key feature from the initial stages of development. 

This does not apply retroactively for currently deployed insecure devices and legacy technologies and those that have been retrofitted to with technology that gives these devices the ability to connect with each other, making brownfield retrofitting an even more appealing option. 

SBOM’s and IoMT 

An SBOM (Software Bill of Materials) is a document that lists all the components and dependencies of a software product, including open-source and third-party components. An SBOM provides a comprehensive and standardized list of all the software components that are included in a product, along with their version numbers and licensing information. 

An SBOM is a critical component of software supply chain security and is becoming increasingly important in the wake of high-profile software supply chain attacks. By providing visibility into all the components that make up a software product, an SBOM can help organizations identify and remediate vulnerabilities and other security issues more quickly and effectively. 

SBOM can play a critical role in IoMT security. As medical devices become more interconnected and reliant on software, it is essential to have a comprehensive understanding of the software components used in those devices. By maintaining an up-to-date SBOM, healthcare providers can quickly identify and address software vulnerabilities that could put patient data and safety at risk. The SBOM can also help to identify potentially risky software suppliers, enabling healthcare providers to take proactive steps to mitigate supply chain risks. 

Overall, an SBOM provides greater transparency into the software supply chain, which can help improve security, reduce risk, and facilitate more effective software management and development. 

How Can Device Authority Help to Secure These Connected Brownfield Devices?  

Making sure these devices are properly secured when most don’t have the correct hardware security measures built in means that there is a need for a software solution like Device Authority’ KeyScaler platform, offering Continuous Authorization, Certificate Management, Device Life Cycle Management and the ability to manage Edge devices. 

Device Authority offers several first class IoT software solutions, however partnering with organizations such as Finite State allow us to offer an even stronger combined offering to the market.  

Our Continuous Assurance offering with Device Identity Management, Device Software Validation and Remediation Automation capabilities of the KeyScaler platform combined with Finite State’s Next Gen platform which ingests and manages Software Bill of Materials (SBOM) data with advanced vulnerability intelligence correlation.  

This powerful combination enables IoT environments to be alerted to vulnerabilities within their software supply chain and, critically, for action to be taken instantly against policy, ultimately enabling vendors to manage risk in their infrastructures. 

To find out more about our joint solution please contact us here: 

Louise José