On April 1, the House Energy & Commerce Oversight and Investigations Subcommittee held a hearing on cybersecurity risks in legacy medical devices[i]. Witnesses urged the Trump administration to start a one-year collaboration with HHS focused on improving cybersecurity protections. They also called for reinstating a recently disbanded advisory committee that previously supported coordination across the health sector.
Republicans focused on identifying threats from outdated medical devices and foreign-made equipment. They emphasized the scale of the issue by pointing to the large number of connected devices used in hospitals and the challenges of securing older hardware running obsolete software. Some Republican members expressed concern about government spending and questioned whether adding staff was the right solution. Others asked how legacy devices could be better tracked and updated to protect patients.
Democrats used the hearing to condemn the Trump administration’s mass layoffs at HHS. They warned that the cuts would weaken FDA’s ability to oversee medical device cybersecurity. Democrats pointed out that Congress had previously tasked the FDA with strengthening cybersecurity rules for medical device approvals and said those efforts would be meaningless if there were not enough staff to enforce them. Witnesses agreed that reducing cybersecurity staff at FDA could leave hospitals vulnerable to future ransomware attacks and other threats.
Witnesses from the health care sector said federal agencies and private physician and other health care professionals need to work together to address evolving cyber threats. They called for better coordination, more skilled professionals, and stronger protections for critical infrastructure. Some warned that even with advanced tools, hospitals lack the workforce to detect or respond to complex attacks. Witnesses concluded that without support from the federal government, many institutions will struggle to keep up.
Considering the massive cyberattack on Change Healthcare last year, these issues are extremely important. We will continue to monitor how the Advocacy Council can engage with Congress to advocate for sensible cybersecurity guidelines that do not place undue burdens on allergy practices.
The Advocacy Council – ADVOCATING FOR ALLERGISTS AND THEIR PATIENTS.
[i] Legacy Devices are defined as Medical Devices, Active Implantable Medical Devices and In Vitro Diagnostic Medical Devices that are covered by a valid certificate issued in accordance with Directive 93/42/EEC, Directive 90/385/EEC or Directive 98/79/EC and that continue to be placed on the market after the date of application of Regulation (EU) 2017/745 (MDR) or Regulation 2017/746 (IVDR).
