Lawmakers and experts warned that aging and outdated medical devices pose growing cybersecurity risks that could impact both patient safety and national security.
The House Energy and Commerce Oversight and Investigations Subcommittee held a hearing April 1 to examine cybersecurity vulnerabilities in legacy medical devices.
Legacy medical devices are classified as those “that cannot be reasonably protected against current cybersecurity threats.” While this encompasses older devices manufactured before today’s security standards were in place, it can also include newer devices with outdated software. A range of medical devices—including patient monitors, infusing pumps, and imaging systems—can be vulnerable to cybersecurity threats.
In his opening remarks, subcommittee chair Rep Gary Palmer (R-AL) notes that patching and updating software are common ways to address cybersecurity vulnerabilities, but “it is unlikely that such vulnerabilities can be sufficiently mitigated through these approaches due to outdated technology and compatibility issues.” He said, “Moreover, merely replacing devices comes with financial and logistical challenges which leads many hospitals to retain these legacy medical devices well beyond their life expectancies—often without the software support to handle modern cybersecurity risks.”
Experts Outline Patient Safety and National Security Risks Linked to Legacy Devices
The subcommittee heard from experts on the dangers of outdated devices. As noted by the American Hospital Association, Erik Decker, vice president, chief information security officer at Intermountain Health, discussed the current state of cyberthreat adversaries as well as the state of medical device security programs. “The primary concerns with attacks against medical devices are related to patient safety and national security,” Decker said. “Additionally, they can be used for conduits for further attack against an organization. Though there have been no known public attacks against medical devices to cause harm to a patient, the studies and research have shown that such an attack is possible.”
Christian Dameff, MD, emergency physician and co-director for the Center for Healthcare Cybersecurity at the University of California San Diego Health, said, “Our patients depend on millions of medical devices—many of them aging…—to deliver life-saving care. The cybersecurity of our legacy medical devices thus becomes a literal matter of life and death.”
Other witnesses for the hearing included Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group; Michelle Jump, chief executive officer of MedSec; and Kevin Fu, professor from the department of electrical and computer engineering at the Khoury College of Computer Sciences at Northeastern University.
Ongoing Gaps in Oversight Highlighted Despite Recent Policy Progress
The hearing follows a January alert from the FDA and the Cybersecurity and Infrastructure Security Agency about a Chinese-manufactured patient monitor with a hidden backdoor vulnerability that could enable unauthorized remote access—a warning that raised concerns about the potential for state-sponsored cyberattacks.
During the hearing, Palmer pointed to the 2022 Protecting and Transforming Cyber Health Care Act, which expanded the FDA’s authority to require cybersecurity plans for new medical devices, as progress in addressing legacy medcal device issues. However, those introduced before the law took effect remain unregulated under its provisions.
“Therefore, addressing cybersecurity threats in legacy medical devices is critical,” Palmer says. “Fortunately, thanks to the ongoing work of the experts represented by our witnesses today, we have valuable partnerships and coordinated efforts to help address these risks and threats.”
ID 343465443 | Ai © ScorpionProduction | Dreamstime.com
