WASHINGTON, DC - The Energy and Commerce Committee today posted a request for information regarding the use of legacy technologies in health care. These technologies, which are in use across the sector, have also been a root cause of many health care cybersecurity challenges.
The request for information details the committee’s interest, saying, “While health care cybersecurity is a complex, nuanced challenge with many different contributing factors, the use of legacy technologies, which are typically more insecure than their modern counterparts, continues to be a root cause of many incidents. The health care sector and medical technologies face the same challenge that has vexed the information technology (IT) industry for decades; digital technologies age faster and less gracefully than their physical counterparts."
The request for information continues, “This fact was illustrated in May 2017, when a flaw in a 30-year-old software protocol led to the global infection of hundreds of thousands of devices by the WannaCry ransomware. The United States health care sector escaped the worst of the danger due to the timely intervention of an independent security researcher. However, the existence of this severely outdated protocol throughout modern medical networks-including within devices such as MRIs and X-Ray machines, in addition to traditional desktops-alerted stakeholders to the pervasiveness and severity of the legacy problem in health care. The WannaCry outbreak occurred primarily because of one protocol embedded within dozens of unique medical technologies. In the aftermath of the outbreak, health care stakeholders were faced with a troubling question: how many other potential ‘WannaCrys’ lurk within their environments?"
The committee welcomes all feedback regarding the challenges of legacy technologies, as well as opportunities and suggestions for improvement, by Thursday, May 31, 2018. Such feedback will be made publicly available as the discussion to advance such reforms continues.
Energy and Commerce has examining a number of issues within health care cybersecurity. An April 2017 #SubOversight hearing broadly examined ways to bolster cybersecurity efforts in the health care sector, and a June 2017 #SubOversight hearing examined federal cybersecurity efforts in the wake of ‘WannaCry.’
