Dispersed responsibility, lack of asset inventory is causing gaps in medical device cybersecurity
 
																			Witnesses at a House hearing on medical device cybersecurity Tuesday called out the need for more proactive tracking of products used across the country, saying the status quo leaves many health system owners and operators in the dark about vulnerabilities, exploitation and patching updates.
Testifying before the House Energy and Commerce Subcommittee on Oversight and Investigations, Dr. Christian Dameff at University of California San Diego Health told lawmakers that when a drug creates an adverse reaction in patients or a flaw in a medical device’s clinical functionality is discovered, there’s an established process to notify providers.
Currently, there is no comparable system in place to inventory legacy connected medical devices used in practices around the country. The primary reason behind this, he said, is that “it is incredibly difficult to know where these devices actually are.”
“In regards to providers, doctors, nurses, other folks who may be using these types of medical devices in clinical practice, to my knowledge the dissemination of information of these vulnerabilities to them is quite limited,” Dameff said.
When a medical device has a vulnerability, typically the device manufacturer will notify hospital systems, who then may seek to patch those devices. But Dameff noted that he has never personally received notification about a cybersecurity vulnerability in one of his devices.
Dameff lamented how communication around device cybersecurity tends to break down before reaching those with firsthand knowledge of their use and location. He called for the U.S. to develop a comprehensive sector-mapping system that would allow device manufacturers and the medical community to quickly identify the scope of a hack or vulnerability, identify owners and operators and remediate before a nation state or ransomware actor can exploit it at scale.
“We do not have, as a nation, the capability to discover where these devices are, to know what their security state is,” Dameff said, adding that he supports ideas like sector mapping to help answer those questions.
The lack of asset inventory is a problem that plagues many critical infrastructure sectors. In 2020, Congress gave the Cybersecurity and Infrastructure Security Agency the ability to issue administrative subpoenas to internet service providers in order to identify owners of vulnerable IT assets connected to the internet and notify them about patching and remediation options. But in 2021, then-Director Jen Easterly indicated that the agency had used the authority sparingly, issuing just 35 subpoenas over the past year.
The Food and Drug Administration offers guidance on how manufacturers should approach securing medical devices from cybersecurity threats both during the design stage as well as after it hits the market. A January report from the Health Information Sharing and Analysis Center found that one of the key breakdowns in security maintenance happens when individual devices are resold and passed to different buyers and consumers.
“As medical devices move through the lifecycle phases, the responsibility for tasks may transfer between the manufacturers and the customer,” the organization wrote. “Communication between the two parties is essential as the device moves through the lifecycle so that tasks are coordinated, and security gaps within the product are reduced.”
For example, a Rapid7 report from 2023 looked at 13 different medical infusion pumps purchased on the secondary market and found that nine of them contained valid wireless authentication data from the previous organization that used them, including Wi-Fi passwords and other credentials.
The Rapid7 report called for a reexamination of how hospitals and medical organizations decommission their legacy devices, as well as industry standards for purging data of sensitive information before selling them on the secondary market.
 
			 
			 
			 
		 
		 
		