Dispersed responsibility, lack of asset inventory is causing gaps in medical device cybersecurity | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/gaps-in-medical-device-cybersecurity\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Dispersed responsibility, lack of asset inventory is causing gaps in medical device cybersecurity\"> <meta property=\"og:description\" content=\"As medical devices are bought and re-sold on the secondary market, they become harder to find and patch when a new vulnerability is discovered, a doctor told House lawmakers.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/gaps-in-medical-device-cybersecurity\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-04-02T00:13:28+00:00\"> <meta property=\"article:modified_time\" content=\"2025-04-02T00:13:30+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg\"> <meta property=\"og:image:width\" content=\"2131\"> <meta property=\"og:image:height\" content=\"1199\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1742994400g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1743113435g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84065\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84065\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fgaps-in-medical-device-cybersecurity%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fgaps-in-medical-device-cybersecurity%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-84065 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/gaps-in-medical-device-cybersecurity\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.148305084746\">\n<div class=\"single-article__header-content\" readability=\"35.675105485232\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/gaps-in-medical-device-cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> As medical devices are bought and re-sold on the secondary market, they become harder to find and patch when a new vulnerability is discovered, a doctor told House lawmakers. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/84065\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"ransomware healthcare\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg 2131w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-2.jpg?resize=1498,843 1498w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> The healthcare sector has seen enterprises both large and small shut down due to ransomware attacks. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"39.879188712522\"><body readability=\"80.947394915681\"><\/p>\n<p>Witnesses at a House hearing on medical device cybersecurity Tuesday called out the need for more proactive tracking of products used across the country, saying the status quo leaves many health system owners and operators in the dark about vulnerabilities, exploitation and patching updates.<\/p>\n<p>Testifying before the House Energy and Commerce Subcommittee on Oversight and Investigations, Dr. Christian Dameff at University of California San Diego Health told lawmakers that when a drug creates an adverse reaction in patients or a flaw in a medical device\u2019s clinical functionality is discovered, there\u2019s an established process to notify providers.<\/p>\n<p>Currently, there is no comparable system in place to inventory legacy connected medical devices used in practices around the country. The primary reason behind this, he said, is that \u201cit is incredibly difficult to know where these devices actually are.\u201d<\/p>\n<p>\u201cIn regards to providers, doctors, nurses, other folks who may be using these types of medical devices in clinical practice, to my knowledge the dissemination of information of these vulnerabilities to them is quite limited,\u201d Dameff said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>When a medical device has a vulnerability, typically the device manufacturer will notify hospital systems, who then may seek to patch those devices. But Dameff noted that he has never personally received notification about a cybersecurity vulnerability in one of his devices. <\/p>\n<p>Dameff lamented how communication around device cybersecurity tends to break down before reaching those with firsthand knowledge of their use and location. He called for the U.S. to develop a comprehensive sector-mapping system that would allow device manufacturers and the medical community to quickly identify the scope of a hack or vulnerability, identify owners and operators and remediate before a nation state or ransomware actor can exploit it at scale.<\/p>\n<p>\u201cWe do not have, as a nation, the capability to discover where these devices are, to know what their security state is,\u201d Dameff said, adding that he supports ideas like sector mapping to help answer those questions.<\/p>\n<p>The lack of asset inventory is a problem that plagues many critical infrastructure sectors. In 2020, Congress gave the Cybersecurity and Infrastructure Security Agency the ability to <a href=\"https:\/\/www.scworld.com\/news\/cisa-set-to-receive-subpoena-powers-over-isps-in-effort-to-track-critical-infrastructure-vulnerabilities\">issue administrative subpoenas<\/a> to internet service providers in order to identify owners of vulnerable IT assets connected to the internet and notify them about patching and remediation options. But in 2021, then-Director Jen Easterly <a href=\"https:\/\/www.scworld.com\/analysis\/easterly-details-how-cisa-has-used-its-subpoena-power\">indicated<\/a> that the agency had used the authority sparingly, issuing just 35 subpoenas over the past year.<\/p>\n<p>The Food and Drug Administration offers guidance on how manufacturers should approach securing medical devices from cybersecurity threats both during the design stage as well as after it hits the market. A January <a href=\"https:\/\/health-isac.org\/wp-content\/uploads\/Exploring-the-Cybersecurity-Roles-of-Manufacturers-and-Healthcare-Organizations-during-the-Medical-Device-Lifecycle.pdf\">report<\/a> from the Health Information Sharing and Analysis Center found that one of the key breakdowns in security maintenance happens when individual devices are resold and passed to different buyers and consumers.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cAs medical devices move through the lifecycle phases, the responsibility for tasks may transfer between the manufacturers and the customer,\u201d the organization wrote. \u201cCommunication between the two parties is essential as the device moves through the lifecycle so that tasks are coordinated, and security gaps within the product are reduced.\u201d<\/p>\n<p>For example, a Rapid7 <a href=\"https:\/\/www.rapid7.com\/blog\/post\/2023\/08\/02\/security-implications-improper-deacquisition-medical-infusion-pumps\/\">report<\/a> from 2023 looked at 13 different medical infusion pumps purchased on the secondary market and found that nine of them contained valid wireless authentication data from the previous organization that used them, including Wi-Fi passwords and other credentials. <\/p>\n<p>The Rapid7 report called for a reexamination of how hospitals and medical organizations decommission their legacy devices, as well as industry standards for purging data of sensitive information before selling them on the secondary market.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.4804270462633\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/gaps-in-medical-device-cybersecurity\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dispersed responsibility, lack of asset inventory is causing gaps in<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,452,1018,117,1020,439],"tags":[86,454,1021,119,1023,443],"class_list":["post-7504","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-fda","category-government","category-medical-devices","category-policy","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-fda","tag-government","tag-medical-devices","tag-policy"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/fda\/\" rel=\"category tag\">FDA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/medical-devices\/\" rel=\"category tag\">Medical devices<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a>","tag_info":"Policy","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7504"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7504\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7504,"date":"2025-04-01T19:13:28","date_gmt":"2025-04-02T00:13:28","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84065"},"modified":"2025-04-01T19:13:28","modified_gmt":"2025-04-02T00:13:28","slug":"dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/04\/01\/dispersed-responsibility-lack-of-asset-inventory-is-causing-gaps-in-medical-device-cybersecurity\/","title":{"rendered":"Dispersed responsibility, lack of asset inventory is causing gaps in medical device cybersecurity"},"content":{"rendered":"