Stakeholders called for additional guidance on medical device security and funding to help resolve cybersecurity flaws in responses to a request for information by the House Energy and Commerce Committee.

AdvaMed noted that the committee’s RFI did not directly acknowledge that “medical devices cannot support updates beyond the useful life of the underlying technology, which for common off-the-shelf components can be as short as 3-4 years.”

The American Hospital Association said hospitals’ efforts to improve cybersecurity for medical devices often run up against unsecured legacy systems and the patching necessary to resolve the security flaws often impede the device’s function.

“Replacing these technologies is not financially feasible, with many hospitals only able to replace about 10 percent of devices in a given year,” the AHA wrote.