Expert warns FDA must enhance cybersecurity for legacy medical devices

The U.S. House Committee on Energy and Commerce convened on April 1, 2025, to address critical cybersecurity vulnerabilities in legacy medical devices. The meeting highlighted the urgent need for improved security measures to protect these essential tools used in patient care.

During the hearing, experts emphasized that many legacy medical devices lack adequate security features, making them susceptible to cyberattacks that could disrupt clinical operations and jeopardize patient safety. Unlike consumer devices, failures in medical device cybersecurity can have dire consequences, underscoring the importance of addressing these vulnerabilities.

One key point raised was the need for the Food and Drug Administration (FDA) to enhance its post-market risk management strategies. Experts argued that the FDA's focus should extend beyond pre-market evaluations to include ongoing assessments of devices once they are in use. This shift is crucial for managing risks associated with outdated software and unsupported operating systems that many legacy devices rely on.

The discussion also pointed out the absence of independent large-scale testing facilities for medical devices, similar to those used in automotive safety testing. Such facilities would be vital for evaluating the cybersecurity defenses of medical devices in real-world hospital environments.

A significant recommendation made during the hearing was to preserve and expand the FDA's in-house cybersecurity expertise. Experts stressed that the agency requires staff with deep technical knowledge in cybersecurity to effectively manage post-market vulnerabilities and coordinate responses to newly discovered threats. The current staffing levels at the FDA may not be sufficient to handle simultaneous cybersecurity incidents, potentially hindering the agency's ability to ensure the safety and effectiveness of medical devices.

In conclusion, the meeting underscored that cybersecurity is not merely a challenge but a critical component of ensuring trust in medical technologies and maintaining continuity of patient care. The committee's focus on these issues reflects a growing recognition of the importance of safeguarding medical devices against evolving cyber threats.