On April 20, 2018, the House Energy and Commerce Committee posted a request for information regarding the cybersecurity risk posed by the use of legacy technologies in the healthcare sector (the RFI).  “Legacy” technology is the term used for older, including outdated, technology that is generally more insecure than more modern counterparts.  The Committee requests feedback regarding “legacy technology challenges, opportunities, considerations, and suggestions in the healthcare sector.”  The deadline for the submission of comments is May 31, 2018.  The comments will be made public.

The Committee’s RFI describes the gravity of the cybersecurity threat in the healthcare industry, as illustrated by the widespread “WannaCry” ransomware infection that affected healthcare providers in May 2017.  The Committee observes that reducing the cybersecurity threats in healthcare is complicated by the following: (i) medical technologies are more specialized than other IT products, so there are often few or no available alternatives; (ii) medical technologies are typically more costly than other IT products, and many hospitals operate on thin margins; and (iii) it is costly to find vulnerabilities in and continue support for legacy healthcare technologies.  Recognizing these challenges, the Committee requests additional input from diverse stakeholders regarding the challenges posed by legacy technologies and the opportunities that exist in addressing these challenges.

The RFI follows two hearings held last year by the House Energy and Commerce Subcommittee on Oversight and Investigations on the topic of cybersecurity in healthcare.  In the first hearing, held on April 4, 2017, titled “Cybersecurity in the Health Care Sector:  Strengthening Public-Private Partnerships,” the Subcommittee examined the need for greater leadership and improved coordination on cybersecurity issues in healthcare, with a particular focus on how the private and public sectors could work together moving forward.  In the second hearing, held on June 8, 2017, titled “Examining the Role of the Department of Health and Human Services in Health Care Cybersecurity,” the Subcommittee examined the role of the Department of Health and Human Services in cybersecurity efforts in healthcare.  For additional information regarding the June 8 hearing, please click here for the June 12, 2017 issue of Health Headlines.

The Committee’s RFI is here.