House seeks feedback on cyber challenges posed by legacy systems
The House Energy and Commerce Committee has issued a request for information from industry stakeholders on how to address the cybersecurity challenges posed by legacy healthcare technologies and medical devices.
“While healthcare cybersecurity is a complex, nuanced challenge with many different contributing factors, the use of legacy technologies, which are typically more insecure than their modern counterparts, continues to be a root cause of many incidents,” states the RFI.
The committee is chaired by Greg Walden (R-Ore.) and ranking member Frank Pallone (D-N.J.).
“The healthcare sector and medical technologies face the same challenge that has vexed the information technology (IT) industry for decades; digital technologies age faster and less gracefully than their physical counterparts,” the panel’s document notes.
At the same time, lawmakers point out that medical technologies are significantly more specialized than traditional IT products and typically are vastly more expensive than consumer or enterprise IT. As a result, they contend that it is difficult to replace these technologies outright, or it is cost prohibitive to conduct widespread technology replacements.
The committee referenced a May 2017 incident in which hundreds of thousands of computers worldwide were compromised by the WannaCry ransomware in at least 150 countries, including the National Health Service in the United Kingdom, where the cyberattack froze computers at hospitals and forced the closure of emergency departments. WannaCry affected systems through a “flaw in a 30-year-old software protocol,” according to the RFI.
“The United States healthcare sector escaped the worst of the danger due to the timely intervention of an independent security researcher,” state the members of Congress. “However, the existence of this severely outdated protocol throughout modern medical networks—including within devices such as MRIs and X-ray machines, in addition to traditional desktops—alerted stakeholders to the pervasiveness and severity of the legacy problem in healthcare.”
Going forward, the committee would like stakeholder recommendations for best practices in how to handle the challenges created by legacy technologies. Lawmakers will accept public input from all parts of the healthcare sector until May 31.
Responses to the RFI can be emailed to firstname.lastname@example.org. All submissions will be made publicly available.