Aging Technology, Emerging Threats: Examining Cybersecurity Vulnerabilities in Legacy Medical Devices

House Energy and Commerce Subcommittee on Oversight and Investigations

2025-04-01

Loading video...

Source: Congress.gov

Participants

Transcript

Thank you.
Thank you.
Thank you.
Thank you.
The Subcommittee on Oversight and Investigations will now come to order.  The chair now recognizes himself for five minutes for an opening statement.   Good morning and welcome to today's hearing entitled Aging Technology Emerging Threats Examining Cybersecurity Vulnerabilities in Legacy Medical Devices.  Legacy medical devices are medical devices that cannot be reasonably protected against current cybersecurity threats.  In some instances, these are older devices that were made before existing cybersecurity requirements were established.   but they can also be newer devices that have outdated software and lack the necessary cybersecurity protections required to defend against current threats.  There's a broad range of medical devices that can be vulnerable to cybersecurity threats, but examples include patient monitors, infusion pumps, and imaging systems.   With over 6,000 hospitals in the United States, each housing a range of rooms and beds, and an average of 10 to 15 connected devices per bed, it is clear how integral medical devices are to delivering healthcare in the United States.  One challenge with these devices is that the hardware can last 10 to 30 years, but the software becomes obsolete much sooner.   Patching and updating software are common ways to address cybersecurity vulnerabilities, but it is unlikely that such vulnerabilities can be sufficiently mitigated through these approaches due to outdated technology and compatibility issues.  Moreover, merely replacing devices comes with financial and logistical challenges, which leads many hospitals to retain these illicit medical devices well beyond their life expectancies, often without the software support to handle modern cybersecurity risk.   This is particularly true in small rural and under-resourced facilities, making it crucial to find practical solutions.  It is also important to recognize that the healthcare sector is one of the 16 critical infrastructure sectors in the United States and has become a significant target for cyber attacks.  For example, in 2017,
The global WannaCry ransomware attack severely impacted the healthcare sector.  In the United States, medical device manufacturers rushed to patch affected devices after WannaCry showed that malware could jump from PCs to embedded medical devices.  This attack demonstrated how unpatched, older Windows-based systems and medical devices can be immobilized by ransomware.   Additionally, the risk of harm to patients is a big concern because if a medical device's vulnerability is exploited, the ability for a device to help monitor, diagnose, or treat a patient can be compromised.  There's also national security concerns.  On January 30th, the Cybersecurity and Infrastructure Security Agency and the Food and Drug Administration released an alert about a Chinese-made patient monitor that had a hidden back door that could enable remote control and data exfiltration.   While the vulnerability may have been unintentional, it raised concerns and highlighted the risk of nation-state actors pre-positioning destructive malware in our healthcare sector as part of a potential large-scale cyber attack to disrupt one of our nation's critical infrastructure sectors.  Progress was made to address legacy medical devices in 2022 with the enactment of the Patch Act, which increased FDA's authority over medical device cybersecurity.   The law now requires manufacturers to submit cybersecurity plans for new devices.  Legacy medical devices that were on the market before this law took effect, however, still pose a significant risk.  Therefore, addressing cybersecurity threats and legacy medical devices is critical.   Fortunately, thanks to the ongoing work of the experts represented by our witnesses today, we have valuable partnerships and coordinated efforts to help address these risks and threats.  I thank our witnesses for joining us today and sharing their expertise to guide the efforts in addressing these challenges, and I look forward to their testimony.  The chair recognized subcommittee ranking member, Ms. Clark, for five minutes for an opening statement.
Thank you, Mr. Chairman, and I thank our   witnesses for appearing before us today and bring your expertise to bear.  However, I'm deeply alarmed by the Trump administration's announcement that the Department of Health and Human Services is Doge's next target.  HHS Secretary Kennedy has announced that he is terminating 20,000 positions and shuttering regional offices across the country, creating further chaos and turmoil for federal employees and the people who depend on the services they provide.   I have difficulty seeing how we can have a hearing about how the FDA should approach legacy medical device cybersecurity without first addressing the fact that the Trump administration and Doge are dismantling the very agency responsible for medical device safety.  The Trump administration's attacks on the health and safety of the American people have already done serious damage.  Proposed cuts to the National Institutes of Health grant funding for medical research   Abrupt terminations of research projects already underway and cancellations of advisory committees and review panels are stifling the scientific community.  The government's partnership with the scientific community made the United States the undisputed global leader in scientific research and innovation for decades, and now that is being recklessly destroyed.  Just last week, Peter Marks, who served as a critical role at FDA   by overseeing the regulation of vaccines was forced to resign.  And in his resignation letter, he stated that, quote, it has become clear that truth and transparency are not being desired by the secretary, but rather he wishes subservient confirmation of his misinformation and lies, end quote.  In February, Elon Musk and Doge made the first workforce cuts to HHS and other agencies across the government targeting probationary employees.   Those terminations included hundreds of new hires from the Center of Device and Radiological Health, or CDRH, who had been recruited because of their expertise in artificial intelligence and other technological fields that support a review of medical devices.
It took about a week for Elon Musk to realize the value of the work these employees were doing, and many were offered reinstatements.  We need to know how many employees have returned to CDRH   and which positions are still vacant.  The administration has not provided us that information, despite several requests from Democratic members and staff.

Sign up for free to see the full transcript

Accounts help us prevent bots from abusing our site. Accounts are free and will allow you to access the full transcript.

Sign up