Gary Palmer U.S. House of Representatives from Alabama's 6th district | Official U.S. House Headshot
Gary Palmer U.S. House of Representatives from Alabama's 6th district | Official U.S. House Headshot
Congressman Gary Palmer, chair of the Subcommittee on Oversight & Investigations, emphasized the critical issue of cybersecurity vulnerabilities in legacy medical devices during a recent hearing in Washington, D.C. The session, named "Aging Technology, Emerging Threats: Examining Cybersecurity Vulnerabilities in Legacy Medical Devices," highlighted the cybersecurity risks posed by outdated medical equipment in U.S. healthcare settings.
Palmer noted the pressing challenge of safeguarding legacy medical devices against cybersecurity threats. "Legacy medical devices are medical devices that cannot be reasonably protected against current cybersecurity threats," he stated. The issue is particularly acute because many medical devices, such as patient monitors and infusion pumps, have long-lasting hardware but often rely on software that quickly becomes outdated and vulnerable.
He pointed out that while patching and updating could mitigate some risks, they are often insufficient due to technological and compatibility issues. "Patching and updating software are common ways to address cybersecurity vulnerabilities, but it is unlikely that such vulnerabilities can be sufficiently mitigated through these approaches due to outdated technology and compatibility issues," Palmer remarked.
The ongoing use of these devices in hospitals, especially in smaller or under-resourced facilities, faces significant cost and logistical challenges. "Merely replacing devices comes with financial and logistical challenges which leads many hospitals to retain these legacy medical devices well beyond their life expectancies," Palmer explained.
With the healthcare sector being one of the critical infrastructure sectors vulnerable to cyberattacks, Palmer cited historical cases like the WannaCry ransomware attack of 2017, which underscored the risks posed by unpatched systems.
He also highlighted national security concerns, referencing an alert issued by the Cybersecurity and Infrastructure Security Agency and the Food and Drug Administration regarding a vulnerable Chinese-made patient monitor.
Palmer acknowledged progress made under the PATCH Act of 2022, which expanded the FDA's authority over medical device cybersecurity, but emphasized that many legacy devices remain unprotected by these new laws. "Progress was made to address legacy medical device issues in 2022, with the enactment of the PATCH Act which increased FDA's authority over medical device cybersecurity," he said.
He concluded by expressing gratitude to the experts present at the hearing for their role in addressing these challenges and looked forward to their insights. "I thank our witnesses for joining us today and sharing their expertise to guide the efforts in addressing these challenges," Palmer said.
Alerts Sign-up