Witnesses warn legacy medical devices create ongoing cybersecurity risks to patient care

A House Energy and Commerce Subcommittee hearing on aging medical technology heard experts say legacy medical devices — equipment that cannot be reasonably protected against current cybersecurity threats — pose an ongoing risk to patient safety and health-care operations.

Witnesses told the Subcommittee on Oversight and Investigations that medical devices are increasingly computer-based, often run on unsupported software, and can remain in hospitals for a decade or more, creating widespread exposure when vulnerabilities are discovered. "Medical devices are miraculous," said Dr. Christian Dameff, co‑director of the UC San Diego Center for Healthcare Cybersecurity. "At their core, many modern medical devices are just computers. And this means there will be unavoidable flaws in software and hardware."

The concern is not limited to large hospitals. "The financial and operational stress that rural and critical access hospitals are currently under means they are unable to invest in the latest generation of medical devices," Dameff added, describing hospitals that keep devices running with parts purchased on secondary markets.

Why it matters: Witnesses said vulnerabilities can do more than expose data; they can degrade clinical monitoring or disrupt care delivery if exploited or if a networked system is taken offline. Dr. Kevin Fu, professor of electrical and computer engineering at Northeastern University, framed the problem bluntly: "Legacy medical device security is spoiled milk, not fine wine. It does not age gracefully." He said some devices are effectively "insecureable" because their software cannot be patched.

What the panel recommended: Multiple witnesses urged federal‑private collaboration and concrete steps to reduce risk: - National healthcare dependency mapping to identify critical device, vendor and network interdependencies (Dr. Dameff, Greg Garcia). - Legal protections and permanency for coordinated security research (Dameff urged making DMCA exemptions for medical device research permanent). - Wider adoption and promotion of sector guidance such as the Health Industry Cybersecurity Practices and the Cybersecurity Performance Goals (Eric Decker, Intermountain Healthcare; Greg Garcia, Health Sector Coordinating Council). - Investment in force‑multiplying technologies and programs such as ARPA‑H pilot efforts to automate remediation for legacy devices (Dameff cited ARPA‑H's universal patching work).

Panelists described the operational barriers to quick fixes. Michelle Jumps, chief executive officer of MedSec, noted the mismatch between device lifecycles and software support: "Medical devices used in clinical environments [can remain] 10, 15, or 20 years, but their underlying software components may only be supported for a fraction of the time." Eric Decker emphasized the practical constraints on patching: clinical testing and quality checks can delay or limit the deployability of device updates.

Several witnesses called for clearer incentives to help under‑resourced hospitals implement best practices. Decker pointed to HICCUP (the Health Industry Cybersecurity Practices) and the statutory recognition of those practices as a step toward incentives, and urged additional support targeted at small and rural providers.

Closing: Witnesses agreed the problem will persist as long as devices remain in clinical use longer than their software support and hospitals lack resources to replace or defend them. But they offered a mix of technical, regulatory and financial steps to reduce risk, including expanded public‑private intelligence sharing, workforce development, and targeted funding or reimbursement incentives to help providers update or better secure aging devices.