The American Hospital Association penned a letter to the House May 31 detailing how the FDA can help keep medical devices, including legacy devices, secure.
The AHA's letter, released June 28 as part of U.S. House Energy and Commerce Committee's portfolio of responses to a recent request for information, argued "legacy devices remain a key vulnerability for hospitals and health systems." Health systems tend to have thousands of devices from different manufacturers on their networks, which complicate the institutions' security management.
"Given their useful lifespans, many legacy devices were not built with cybersecurity in mind and may use outdated or insecure software, hardware and protocols, leaving them vulnerable to attack," the letter reads.
The association wrote health systems are generally responsible for creating their own security controls, such as installing firewalls around devices. To aid with cybersecurity measures, the AHA suggested the FDA release more stringent guidance requiring device manufacturers to support end-users providing ongoing security updates, software patches and hardware upgrades throughout a device's expected lifetime.
"While there is recognition of 'shared responsibility' for security, the reality today is that the end-user carries a much heavier load for securing devices," the letter reads. "Security tools and procedures provided by medical device manufacturers should limit burden for the end-user and integrate, as much as possible, into standardized practices and tools already employed by hospitals and health systems."
To access the AHA's letter, click here.