Skip to content
Menu
menu

Illustration by iStock; Security Management

Experts Tell Congress Lack of Tracking Creates Cybersecurity Gaps for Medical Devices

By Sara Mosqueda
2 April 2025

Today in Security

During a U.S. House hearing on 1 April, healthcare and cybersecurity experts said that it was no April Fools’ joke: there’s no well-established process in place tracking medical device inventory, leaving patients, operators, and healthcare staff at risk of being exploited by potential gaps in the cybersecurity of such devices.

These devices save lives every day—pacemakers, patient monitors, insulin pumps, and more have become crucial tools that help medical professionals treat and care for patients. But like many other modern devices, many of them are connected to networks and the Internet.

While that connectivity can provide insight into patients and result in improved treatment, it also can result in risks.

“Our patients depend on millions of medical devices—many of them aging machines—to deliver life-saving care. The cybersecurity of our legacy medical devices thus becomes a literal matter of life and death,” said Dr. Christian Dameff, co-director of the UCSD Center for Healthcare Cybersecurity. Dameff was one of the witnesses giving testimony on 1 April in front of the House Subcommittee on Oversight and Investigations.

According to Dameff and the other witnesses, these legacy devices span the entire healthcare sector. However, there is no inventory at either the national or regional level that tracks these devices, and it’s difficult to ensure the cybersecurity of these devices without understanding their full scope. If a vulnerability is detected in one model, how can every one of those devices be patched when it remains unknown how many of them are in use? Exacerbating the issue is the practice of a secondary market for older devices, which may be sold to organizations or providers operating under a tighter budget.

“The truth when it comes to the cybersecurity of legacy medical devices is that we lack many of the basic statistics needed to understand the magnitude of the threat,” Dameff added in his testimony. “…We currently don’t have the capability to determine at a national scale how many and where the legacy medical devices are.”

Although the four experts made various recommendations on how to tackle the problem, they pointed to a need for more action from the Food and Drug Administration (FDA) as well as the private sector.

While the witnesses acknowledged that in recent years the FDA had been improving upon cybersecurity when it comes to these devices, increasing cyberattacks—such as ransomware attacks that further strain hospital’s resources and relationships with patients—they called for greater pressure from the agency and other healthcare organizations to improve upon cybersecurity efforts around medical devices.

Dameff called for greater visibility of devices and assets, lauding the Health Sector Coordinating Council’s (HSCC) attempt to map dependents and risks. The HSCC is currently mapping these elements, relying on health providers, healthcare IT, insurers, public health agencies, and pharmaceutical and medical technology companies “to identify those critical functions and assets, their connect points and dependencies, the associated concentration risk from mergers and acquisitions, and the relative risk to the provision of healthcare…that those functions would pose if disrupted,” according to HSCC executive director Greg Garcia.

Kevin Fu, a professor at Northeastern University’s College of Engineering, recommended that the FDA expand its cybersecurity expertise; that legacy medical devices should include a software bills of materials (SBOMs) to keep track of all software components, which could improve cybersecurity response; and that the agency foster national-scale testing facilities that would analyze and determine a device’s security and how it might impact a hospital.

Michelle Jump, CEO of MedSec LLC, added that the FDA could leverage inspections on medical device manufacturers, applying pressure to ensure that they meet cybersecurity recommendations.

It’s unknown how the recently announced cuts to the U.S. Department of Health and Human Services, the FDA, and the National Institutes of Health could impact this risk.

Focus on Metrics

Fast Facts: 3 Core Types of Metrics

Metrics to Make Security Shine Beyond the Numbers

Data Journalism 101: How to Tell a Story with Data

From Hard Numbers to a Value Proposition: Crafting a Story for the C-Suite with Metrics

The Widening Gap in Pandemic Prevention Measures

Best of Security Management

Violence for the Sake of Violence: Understanding Nonideological Extremism

From Hard Numbers to a Value Proposition: Crafting a Story for the C-Suite with Metrics

Security Vulnerability Allows Intruders to Unlock Hotel Rooms Using Forged Keycards

Columbia University Adds Campus Peace Officers with Arrest Powers

Getting Visitor Management Right in Access Control

Private Security Officers Charged After Unruly Town Hall Incident
arrow_upward