Lawmakers want to know how to mitigate cyber risk in medical devices

Replace the device? Patch the software? Lawmakers want to know how to protect legacy medical equipment from cyberthreats.

House lawmakers are calling on stakeholders in the health care industry for tips on how to secure old technology in the medical field.

The Committee on Energy and Commerce put out a request for information Friday detailing its concern that outdated equipment and software used in hospitals and other medical organizations pose cybersecurity vulnerabilities that can put patients at risk.

“While health care cybersecurity is a complex, nuanced challenge with many different contributing factors, the use of legacy technologies, which are typically more insecure than their modern counterparts, continues to be a root cause of many incidents,” the committee wrote.

Fueling the committee’s concern is the WannaCry ransomware attack that paralyzed operations at numerous hospitals and health organizations around the world.


The May 2017 attack, which has been widely attributed to North Korea, exploited unpatched versions of Microsoft Windows. In some cases, the machines were being used to run medical devices, such as MRI scanners and X-ray machines.

“In the aftermath of the outbreak, health care stakeholders were faced with a troubling question: how many other potential ‘WannaCrys’ lurk within their environments?” committee members pose, also raising concern about the cost of finding vulnerabilities. “Considering the fact that many popular medical technologies leverage software and hardware with hundreds to thousands of known vulnerabilities, let alone unknown ones, vulnerability identification and management can quickly become a daunting task.”

Recent research from cybersecurity firm Trend Micro showed that hospitals worldwide are riddled with with internet-connected devices that are exposed and searchable on the open web.

The lawmakers highlight some obstacles to securing health care technology. Some equipment, they say, might be so specialized that only a handful of models exist that can fulfill its role.

“For some of these products, replacements or alternatives may not be available, or they may be affected by similar vulnerabilities, leaving organizations with few, if any, good options,” the letter reads.


Additionally, due to the high cost of some medical equipment, hospitals might have to make the decision between purchasing replacements for vulnerable systems versus properly paying staff or paying attention to patient needs.

“As a result, organizations may reason that replacing technologies to address intangible and often esoteric cybersecurity vulnerabilities, especially in machines that may still exhibit acceptable physical operation, does not provide enough benefits to offset the costs.”

Earlier this week, the Food and Drug Administration proposed a Medical Device Safety Action Plan proposing that would require vendors to create a “Software Bill of Materials” for each device, informing device users what software is being used on their networks and giving them insight into what tools might be making them vulnerable to cyberthreats. In the proposed plan, the FDA is also considering requiring device makers to build in software patch capabilities directly into their products.

In contrast, the Energy and Commerce Committee writes in its RFI that requiring manufacturers to support their devices indefinitely would be inefficient because it could mean “entirely rearchitecting or rewriting the chipsets, operating systems, or applications on which a technology relies.”

“Policies that would require manufacturers to support legacy technologies indefinitely would therefore likely have significant impacts on their ability to provide new and innovative technologies, as their resources would necessarily have to be spent maintaining their legacy products,” the committee writes.


The committee wants to hear back from stakeholders on how how to approach these challenges by May 31.

Latest Podcasts