House Committee Hears New Concerns About Legacy Medical Device Cybersecurity
A House Energy and Commerce Committee Subcommittee on Oversight hearing last week explored the current cybersecurity challenges associated with legacy medical devices. Legacy medical devices are any medical device that cannot be reasonably protected against current cybersecurity threats, including patient monitors, infusion pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, intrathecal pain pumps, and imaging devices.
The problem is that medical device hardware can remain functional for 10 to 30 years; however, the life cycles of the medical device software are much shorter. Once software reaches end of life and security updates stop being provided, vulnerabilities will no longer be fixed. If the devices continue to be used, threat actors will have ample time to find and exploit vulnerabilities, and since medical devices are usually network-connected, a successful attack on a legacy device can allow a threat actor to access internal networks. When the software reaches end of life, medical devices need to be replaced; however, cash-strapped hospitals lack the funding to replace their legacy devices, and the devices continue to be used for years, despite the cybersecurity risks.
In December 2022, the PATCH Act was signed into law to improve medical device cybersecurity. The Food and Drug Administration (FDA) was given greater authority over medical device cybersecurity and is now assessing the cybersecurity of medical devices when reviewing premarket submissions. From March 2023, medical device manufacturers have had to submit plans to the FDA for monitoring, identifying, and addressing cybersecurity vulnerabilities for the entire product lifecycle and are required to submit a software bill of materials (SBOM) to ensure that all software components can be tracked.
The bar has been raised for medical device cybersecurity, but the PATCH Act only applies to new medical devices manufactured after March 2023. Legacy devices manufactured before that date are likely to have vulnerabilities that could be exploited. According to the Cyber Division of the Federal Bureau of Investigation, 53% of networked medical devices and Internet of Things (IoT) devices contain at least one known critical vulnerability.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A hidden backdoor was identified in patient monitors manufactured by the Chinese firm Contec, which allowed the devices to communicate with a Chinese IP address linked to the China Education and Research Network at Tsinghua University in Beijing, which had no association with Contec. The patient monitor was cleared by the FDA in 2011, and the backdoor had been present for more than 13 years before it was detected. This is unlikely to be an isolated example, but it is unclear how many similar vulnerabilities are present in legacy medical devices. There is simply not sufficient data to accurately assess the problem.
The hearing, titled “Aging Technology, Emerging Threats: Examining Cybersecurity Vulnerabilities in Legacy Medical Devices”, explored the challenges associated with legacy medical device cybersecurity and sought to identify the current scope of the problem, how it impacts patients and providers, the risks that vulnerabilities could be exploited by cybercriminal and nation state actors, and what efforts are underway to address the vulnerabilities.
According to Dr. Christian Dameff, co-director of the UCSD Center for Healthcare Cybersecurity, legacy devices are extensively used in healthcare, but the scale of the problem is not known. There is no inventory that tracks these devices at the national or regional level, and ensuring the cybersecurity of those devices when it is unknown how many devices are in use is impossible. “The truth when it comes to the cybersecurity of legacy medical devices is that we lack many of the basic statistics needed to understand the magnitude of the threat,” said Dameff, “We currently don’t have the capability to determine at a national scale how many and where the legacy medical devices are.”
Greg Garcia, Executive Director, Healthcare Sector Coordinating Council Cybersecurity Working Group (HSCC CWG), explained that HSCC CWG has published 5 extensive cybersecurity practices that were negotiated between medical product manufacturers and health providers that help providers and manufacturers improve medical device cybersecurity, and work continues on improving those practices. “A key point to be made is that the health sector is an interconnected and interdependent ecosystem. We cannot address the security of our medical device manufacturing in a vacuum. We must also consider how health systems appropriately manage cybersecurity of devices,” explained Garcia. “We must scrutinize the procurement of unregulated software and components that support medical devices and other networked systems.” HSCC CWG is currently supporting and operationalizing national health infrastructure mapping and risk assessments to provide visibility to critical services and utilities that support the many interconnected interdependencies across the healthcare ecosystem.
The FDA has been actively working on improving medical device cybersecurity by ensuring that new medical devices that come to market have adequate cybersecurity safeguards; however, at the hearing, concerns were raised about the ability of the FDA to continue that good work. The Department of Health and Human Services (HHS) is being reorganized as part of the Trump administration’s efforts to increase government efficiency, which includes a significant reduction in the size of the HHS workforce. In the latest round of layoffs, the HHS workforce will be reduced by around 10,000, and since President Trump took office in January, a similar number of workers have already left the HHS.
Many of those job losses will be at the FDA, and that could potentially have implications for medical device cybersecurity. The HHS issued a press release about the HHS’ transformation to “Make America Healthy Again”, confirming that the workforce of the FDA will be reduced by 3,500 full-time employees as part of efforts to streamline operations and centralize administrative functions. Announcing the decision, the HHS said, “This reduction will not affect drug, medical device, or food reviewers, nor will it impact inspectors.” However, it is unclear exactly where staff will be reduced.
Kevin Fu, professor at Northeastern University and director of its Archimedes Center for Healthcare and Medical Device Cybersecurity, who previously served as acting director of medical device security at the FDA’s Center for Devices and Radiological Health, said medical device cybersecurity is not a hypothetical issue. It is a real-world threat with real-world consequences, and calls for enforceable cybersecurity standards now, not after a preventable incident. He called for regulators, manufacturers, and cybersecurity professionals to collaborate to embed security by design, explaining that that approach will keep investors happy, avoid delays to market, and ensure patients are protected.
Fu also voiced concerns about the staff cuts at the FDA. He explained that he was already running a skeleton crew at the FDA under the Biden administration and warned that any reduction in review staff would have “a tremendous impact on cybersecurity,” and would make the pre-market and post-market management of cybersecurity much more difficult. Cybersecurity assessments, new cyber guidance, and the FDA’s response to newly discovered vulnerabilities could be affected, and the review process for innovative medical technologies would likely be slowed. He also said that, in his opinion, if two cybersecurity incidents were to occur simultaneously, the current staffing levels at the FDA would not be sufficient to respond and meet the FDA’s congressionally mandated duties. The witnesses all made recommendations on how to improve the cybersecurity of legacy medical devices; however, one common suggestion was for the FDA to take more action, including putting more pressure on medical device manufacturers to ensure that their devices have the necessary cybersecurity safeguards. That could prove difficult with such a major reduction in the workforce.
“The primary concerns with attacks against medical devices are related to patient safety and national security,” said Erik Decker, Intermountain Healthcare CEO and former co-chair of the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group. “Additionally, they can be used for conduits for further attack against an organization. Though there have been no known public attacks against medical devices to cause harm to a patient, the studies and research have shown that such an attack is possible.”
Decker warned that it is not only the job cuts at the FDA that could impact medical device cybersecurity. Last month, President Trump signed an executive order that disbanded 16 critical infrastructure policy advisory committees, which previously met regularly to discuss critical cybersecurity issues. Decker said those committees need to be reestablished urgently so they can get back to work securing critical infrastructure.
