Citing WannaCry, lawmakers ask how to tackle medical device cybersecurity flaws
Legacy health IT poses both a significant threat and challenge to the sector, and the House Energy and Commerce Committee is calling on industry leaders to share insights about ways to begin overcoming infosec issues.
The committee outlined its concern in an RFI posted Friday over outdated medical devices, especially after WannaCry. The May 2017 attack impacted hundreds of thousands of devices by leveraging a flaw in legacy technology and crippled a wide range of organizations, including the U.K National Health Service.
Outdated software and equipment are still creating serious cybersecurity vulnerabilities that, if leveraged, put patients at risk. Just last week, the U.K. governing body found that the NHS is still unprepared for another attack. Patching the same flaws used in WannaCry was just one of its challenges.
“The healthcare sector and medical technologies face the same challenge that has vexed the IT industry for decades: Digital technologies age faster and less gracefully than their physical counterparts,” the committee members wrote. “In the aftermath of the outbreak, healthcare stakeholders were faced with a troubling question: how many other potential ‘WannaCrys’ lurk within their environments?”
As a result, the committee is asking industry leaders to provide suggested methods that could improve these serious flaws to better understand what policies could prevent future attacks like WannaCry.
The committee said it understands that identifying and managing these flaws poses a serious challenge, such as specialized equipment that may only be available in certain models to fill an organization’s need. But they’re hoping industry stakeholders might have an answer to begin tackling that issue.
Currently, the Food and Drug Administration is making a push to include a mandatory built-in update, which would help when flaws crop up in new devices. However, that won’t help legacy technology, such as the firmware patch release this month by Abbott to fix cybersecurity flaws in 350,000 devices.
“For some of these products, replacements or alternatives may not be available, or they may be affected by similar vulnerabilities, leaving organizations with few, if any, good options,” the committee wrote.
However, the committee suggested that this method of requiring vendors to support legacy technology throughout its lifecycle is inefficient and impractical, “as doing so may mean entirely rearchitecting or rewriting the chipsets, operating systems, or applications on which a technology relies.”
“This is an expensive undertaking not just in terms of funding, but in terms of time and expertise,” the committee wrote. As a result, manufacturers would have to spend significant resources on legacy technology instead of providing innovative technology.
And cost is another major challenge to providers when it comes to fixing these flaws, as many hospitals operate under incredibly tight budgets that don’t allow for extra funding to replace legacy devices.
“As a result, organizations may reason that replacing technologies to address intangible and often esoteric cybersecurity vulnerabilities, especially in machines that may still exhibit acceptable physical operation, does not provide enough benefits to offset the costs,” they wrote.
“Why, if a device can still meet its intended use, should it be replaced at the expense of other organizational needs?” the committee asked.
The committee is asking industry stakeholders to address not only these issues but others for which committee may not be aware. The deadline to provide input is May 31.
Healthcare Security Forum
The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.