House committee to examine cybersecurity risks of legacy technology in healthcare

Washington DC National Capitol Building
The House Energy and Commerce Committee is collecting information about cybersecurity vulnerabilities in legacy medical devices. (Getty/lucky-photographer)

An influential House committee is taking a deeper dive into the cybersecurity risks associated with legacy technology throughout the healthcare industry and asking for stakeholders to help policymakers establish possible solutions moving forward.

Calling healthcare cybersecurity a “complex, nuanced challenge with many different contributing factors,” lawmakers zeroed in on legacy devices as the “root cause” of many security incidents, according to a request for information (PDF) issued by the Energy and Commerce Committee last week.

The request acknowledged the simplest recommendation is to replace legacy technology with updated equipment. But the healthcare industry finds itself in a predicament with no easy solutions. Medical technology is more specialized with fewer replacement options for legacy devices. The cost of replacement is much higher than that of consumer technology, and for hospitals with thin operating margins, updating equipment often means sacrificing another portion of its budget.

Innovation Awards

Submit your nominations for the FierceHealthcare Innovation Awards

The FierceHealthcare Innovation Awards showcases outstanding innovation that is driving improvements and transforming the industry. Our expert panel of judges will determine which companies demonstrate innovative solutions that have the greatest potential to save money, engage patients, or revolutionize the industry. Deadline for submissions is this Friday, October 18th.

RELATED: FDA wants to create a ‘go-team’ for medical device cybersecurity

Some have called for manufacturers to maintain support for legacy technology throughout its lifecycle, but the committee argued that diverting resources to older systems would “likely have significant impacts on their ability to provide new and innovative technologies.”

“The challenges created by legacy technologies are, by definition, decades in the making,” the House committee wrote, requesting additional input from stakeholders in every sector. “They implicate dozens of diverse stakeholders with different and at times competing equities, and they have no clear solutions.”

RELATED: Cash for clunkers—Could it work for legacy medical devices?

Exactly how to manage a glut of legacy systems throughout the industry has been up for debate, particularly after the WannaCry attack last year that took advantage of a vulnerability in outdated operating systems.

One suggestion, included in the Department of Health and Human Services Cybersecurity Task Force report released last year, is a program similar to Cash for Clunkers, a federal initiative aimed at getting old cars with poor fuel efficiency off the road.   

Meanwhile, the Food and Drug Administration wants to devote more funding to medical device cybersecurity by creating a “go-team” that could assist with response efforts and help identify key vulnerabilities. The agency is also considering requiring manufacturers to include a “bill of materials” to allow hospitals to better manage networked devices.

Suggested Articles

In a letter, 111 physician organizations weighed in on surprise billing, urging Congress not to turn more power over to health insurers.

Even when taking into account increased resources, general and vascular procedures performed in teaching hospitals are better for high-risk patients.

As members of Congress wrangle over the best way to stop surprise medical bills, one senator predicts Washington will pass a new law soon.