On April 1, 2025, the subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce held a hearing on cybersecurity vulnerabilities in legacy medical devices. The hearing was largely a fact-finding discussion, with subcommittee members attempting to ascertain the scope and source of such vulnerabilities. While no immediate solutions were reached, we anticipate this is an area that will continue to evolve and warrants monitoring.
While there is no official definition of a “legacy device,” the term generally refers to medical devices that cannot be patched or updated. Kevin Fu, a witness at the hearing, described legacy devices as akin to “driving a car built without a seat belt.” Because these devices cannot be patched or updated they are vulnerable to attacks and, in the instance of a cybersecurity attack, cannot be easily fixed, which can result in delays in the provision of critical healthcare services.
The witnesses, experts, and thought leaders in healthcare and medical device cybersecurity in attendance coalesced around a few key themes:
The hearing coincided with the actions taken to reduce the US Food and Drug Administration’s (FDA’s) and US Department of Health and Human Services (HHS’s) workforce, which served as a backdrop for concerns from some subcommittee members over reductions in staffing being counterproductive to any potential solution that could result from the hearing. Those subcommittee members advocated instead for an oversight hearing on the ongoing reductions in force at FDA and HHS.
Other subcommittee members probed the witnesses for more information on the number of and types of devices that are legacy devices (unknown), the process for dissemination of known cybersecurity vulnerabilities (information comes to device manufacturers from the FDA and Cybersecurity and Infrastructure Security Agency), and whether medical device manufacturers should be held legally liable (would be unfair given the shared responsibility and that there are multiple failure points, many outside of a manufacturer’s control, that could lead to an incident). The subcommittee overall agreed that the issue was significant and that additional congressional action is warranted to address this matter.
This issue of cybersecurity in medical devices has also previously raised the attention of the Federal Bureau of Investigation (FBI) and is the subject of recently added FDA requirements and nonbinding FDA guidance.
In September 2022, the FBI issued a Private Industry Notification warning that unpatched medical devices may have vulnerabilities that could impact healthcare facilities’ operations, patient safety, and the confidentiality and integrity of medical information.[1] That same year, the US Congress enacted the Food and Drug Omnibus Reform Act of 2022 adding Section 524B to the Federal Food, Drug, and Cosmetic Act, which requires that manufacturers provide certain information about the cybersecurity of “cyber devices” in their premarket submissions and ensure that such devices remain cybersecure postmarket.
In 2023, the FDA issued guidance on this topic, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, recommending, among other things, adopting a secure product development framework to manage cybersecurity risks, designing with security objectives in mind, employing transparency about how to maintain the cybersecurity of a medical device over time and potential risks, and conducting cybersecurity risk assessments that are appropriately tailored to the risk of the device.[2] The FDA followed this guidance by issuing draft guidance in March 2024 to propose updates to the 2023 guidance with additional recommendations regarding the new 524B requirements.[3]
More recently, the FDA released draft guidance on AI-enabled devices in January, which references special considerations related to AI cybersecurity risks to include in premarket submissions.[4] While both draft guidances are yet to be final, they illustrate that though Congress continues to deliberate potential additional approaches to improve cybersecurity as it relates to medical devices, cybersecurity has become a routine aspect of the FDA’s premarket review and the agency remains focused on medical device cybersecurity.
With the emphasis on shared responsibility among healthcare providers, healthcare facilities, manufacturers of medical devices, and patients, these stakeholders should be aware that cybersecurity remains a key area of focus. With the potential for legal and regulatory changes in the future, companies should continue to follow best practices and make effective use of legal and regulatory professionals to ensure reasonable cybersecurity measures are in place and that they are equipped to respond to and manage cybersecurity incidents. Morgan Lewis will continue to monitor congressional activity and regulator guidance in this space.
Morgan Lewis is available to provide strategic counseling with respect to medical device premarket submissions, cybersecurity risks, enhancing cybersecurity programs, and responding to cybersecurity incidents. Our FDA and Cybersecurity, Incident Response, and Privacy teams have broad, in-depth experience advising clients on strategic decision-making around critical legal and regulatory aspects related to medical devices and cybersecurity. We are closely following these fast-moving developments and stand ready to assist those navigating the evolving regulatory landscape.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
[1] FBI, Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities (20220912-001).
[2] FDA Guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Sept. 27, 2023).
[3] FDA Draft Guidance, Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act (Mar. 13, 2024).
[4] FDA Draft Guidance, Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations (Jan. 7, 2025).