Premier Submits Statement for Congressional Hearing on Legacy Medical Device Cybersecurity Risks
Premier submitted a statement for the record for the House Energy and Commerce Subcommittee on Oversight and Investigations April 1, 2025 hearing entitled, "Aging Technology, Emerging Threats: Examining Cybersecurity Vulnerabilities in Legacy Medical Devices.” Premier warns that as healthcare provider organizations integrate artificial intelligence (AI), the Internet of Medical Things (IoMT), and connected devices, their vulnerability to cyberattacks by increasingly sophisticated adversaries grows, exacerbated by outdated legacy systems. Unlike other critical industries, healthcare cybersecurity has lagged due to fragmented regulations and a lack of clear federal oversight. In its statement, Premier calls for urgent action from Congress to modernize protections and align incentives between providers and manufacturers.
Premier’s key recommendations include:
Governance: Establish formalized cybersecurity oversight for medical devices throughout their entire lifecycle.
Shared Responsibility: Ensure manufacturers and providers share accountability for securing medical devices, including those in use beyond their initial support period.
Objective Data Collection: Task the FDA with compiling and publishing data on medical device cybersecurity risks, costs, and useful life spans.
Fair Breach Penalties: Distribute financial penalties equitably between healthcare providers and device manufacturers based on breach root cause analysis.
Emergency Use Authorization (EUA) Clarity: Define cybersecurity responsibilities for medical devices approved under emergency use pathways.
Premier urges policymakers to enact comprehensive reforms that align healthcare cybersecurity standards with those in other critical infrastructure sectors to protect patient safety and data integrity.
