An influential House committee is taking a deeper dive into the cybersecurity risks associated with legacy technology throughout the healthcare industry and asking for stakeholders to help policymakers establish possible solutions moving forward.
Calling healthcare cybersecurity a “complex, nuanced challenge with many different contributing factors,” lawmakers zeroed in on legacy devices as the “root cause” of many security incidents, according to a request for information (PDF) issued by the Energy and Commerce Committee last week.
The request acknowledged the simplest recommendation is to replace legacy technology with updated equipment. But the healthcare industry finds itself in a predicament with no easy solutions. Medical technology is more specialized with fewer replacement options for legacy devices. The cost of replacement is much higher than that of consumer technology, and for hospitals with thin operating margins, updating equipment often means sacrificing another portion of its budget.
Some have called for manufacturers to maintain support for legacy technology throughout its lifecycle, but the committee argued that diverting resources to older systems would “likely have significant impacts on their ability to provide new and innovative technologies.”
“The challenges created by legacy technologies are, by definition, decades in the making,” the House committee wrote, requesting additional input from stakeholders in every sector. “They implicate dozens of diverse stakeholders with different and at times competing equities, and they have no clear solutions.”
Exactly how to manage a glut of legacy systems throughout the industry has been up for debate, particularly after the WannaCry attack last year that took advantage of a vulnerability in outdated operating systems.
One suggestion, included in the Department of Health and Human Services Cybersecurity Task Force report released last year, is a program similar to Cash for Clunkers, a federal initiative aimed at getting old cars with poor fuel efficiency off the road.
Meanwhile, the Food and Drug Administration wants to devote more funding to medical device cybersecurity by creating a “go-team” that could assist with response efforts and help identify key vulnerabilities. The agency is also considering requiring manufacturers to include a “bill of materials” to allow hospitals to better manage networked devices.