House Seeking Stakeholder Feedback on Addressing Cyber Risks of Legacy Health IT | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

House Seeking Stakeholder Feedback on Addressing Cyber Risks of Legacy Health IT

April 25, 2018
by Heather Landi
| Reprints

The House Energy and Commerce Committee is seeking input and feedback from healthcare industry stakeholders on how to address cybersecurity vulnerabilities in legacy healthcare IT technologies and medical devices.

In a request for information (RFI), the House E&C committee is soliciting industry stakeholders’ comments and suggestions regarding legacy technology challenges and opportunities.

“While health care cybersecurity is a complex, nuanced challenge with many different contributing factors, the use of legacy technologies, which are typically more insecure than their modern counterparts, continues to be a root cause of many incidents. The health care sector and medical technologies face the same challenge that has vexed the information technology (IT) industry for decades; digital technologies age faster and less gracefully than their physical counterparts,” the committee wrote in the RFI.

Stakeholders can email their comments to by May 31, 2018. The committee is chaired by Greg Walden (R-Ore.) and ranking member Frank Pallone (D-N.J.).

Citing the WannaCry ransomware attack in May 2017 that exploited a flaw in a 30-year-old software protocol, leading to the global infection of hundreds of thousands of devices, the House E&C Committee warned that the healthcare industry faces significant risks from vulnerabilities and outdated protocol in legacy systems and devices.

The Committee notes that finding and fixing vulnerabilities like the one leveraged by WannaCry is costly. “Though hard data about the exact costs are difficult to determine, one cybersecurity professional estimated that fixing a single vulnerability may cost an organization anywhere from $400 to $4,000. Considering the fact that many popular medical technologies leverage software and hardware with hundreds to thousands of known vulnerabilities, let alone unknown ones, vulnerability identification and management can quickly become adaunting ask,” the Committee leaders wrote in the RFI. “This leads to a cost-benefit analysis between the value provided to an organization through the use of a given piece of technology, the costs of keeping it patched and updated, and the risks posed by using technologies which may be too expensive in terms of time and resources to update.”

And, the committee also notes that medical technologies typically are more expensive than consumer or enterprise IT. “As a result, organizations may reason that replacing technologies to address intangible and often esoteric cybersecurity vulnerabilities, especially in machines that may still exhibit acceptable physical operation, does not provide enough benefits to offset the costs. Why, if a device can still meet its intended use, should it be replaced at the expense of other organizational needs?”

To complicate matters further, the Committee also notes that requiring manufacturers and developers of medical technologies to support legacy technologies as an alternative to replacing legacy systems is problematic as well. “It is sometimes inefficient or impractical to fix vulnerabilities, as doing so may mean entirely rearchitecting or rewriting the chipsets, operating systems, or applications on which a technology relies. This is an expensive undertaking not just in terms of funding, but in terms of time and expertise,” the Committee wrote.

The House E&C Committee leaders acknowledge that there are “no clear solutions” and requests stakeholder feedback to understand the full scope of the challenge and the potential paths to address it.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Geisinger National Precision Health Hires Illumina Exec to Lead Business Development

Integrated health system Geisinger has hired a high-profile genetic counselor to head up business development for Geisinger National Precision Health, which was created to extend the Geisinger model on the national scene.

$30M VC Fund Launched to Spur Innovation in Cardiovascular Care

The American Heart Association, together with Philips and UPMC, has announced the launch of Cardeation Capital, a $30 million collaborative venture capital fund designed to spur healthcare innovation in heart disease and stroke care.

Epic Wins Labor Dispute in Closely Divided Supreme Court Decision

Epic Systems Corporation won a major labor-law ruling in the Supreme Court on Monday, centering around the extent of corporations’ right to force employees to sign arbitration agreements, and with a 5-4 ruling in its favor

Survey: Two-Thirds of Physician Practices Seeking Out Value-Based Care Consulting Firms

Most physician organizations are not prepared for the move to value-based care, and 95 percent CIOs of group practices and large clinics state they do not have the information technology or staff in-house needed to transform value-based care end-to-end, according to a recent Black Book Market Research.

Cumberland Consulting Buys LinkEHR, Provider of Epic Help Desk Services

Cumberland Consulting Group, a healthcare consulting and services firm, has acquired LinkEHR, which provides remote application support, including Epic help desk services.

Population Health Tool that Provides City-Level Data Expands to 500 Cities

A data visualization tool that helps city officials understand the health status of their population, called the City Health Dashboard, has now expanded to 500 of the largest cities in the U.S., enabling local leaders to identify and take action around the most pressing health needs in their cities and communities.