Industry experts recently testified before a Congressional committee examining the impact of massive workforce cuts at the U.S. Department of Health and Human Services, specifically at the Food and Drug Administration, on medical device cybersecurity. The hearing, conducted by the House Energy and Commerce Committee Subcommittee on Oversight, focused on the challenges associated with cybersecurity in medical devices, including both legacy products and new innovations awaiting regulatory approval.
In December 2022, legislation was passed expanding the FDA’s authority over medical device cybersecurity. Since then, the agency has implemented a review process to evaluate the cybersecurity of new or modified medical devices as part of pre-market approval submissions. While progress has been made in enhancing cybersecurity expectations within the FDA, concerns were raised about the potential impact of recent workforce cuts on the agency’s ability to effectively manage cybersecurity risks in medical devices.
Experts highlighted the potential risks associated with workforce reductions at the FDA. Kevin Fu, a professor at Northeastern University and former special advisor to the FDA, emphasized the importance of maintaining a strong team of subject matter experts to address cybersecurity vulnerabilities and ensure patient safety. Any cuts to the FDA’s review staff could make it more challenging to manage cybersecurity risks in medical devices and could slow down the overall review process for innovative technologies in the healthcare sector.
In addition to staffing concerns, experts also raised issues related to legacy medical devices that may pose security risks due to outdated software or lack of support from vendors. Dr. Christian Dameff, co-director of the UC San Diego Center for Healthcare Cybersecurity, emphasized the need to address security vulnerabilities in legacy devices to protect patient safety and the integrity of healthcare IT systems.
Furthermore, uncertainties surrounding job security in the federal government could make it harder to recruit and retain skilled cybersecurity professionals in the medical device industry. This could further complicate efforts to strengthen cybersecurity measures in healthcare facilities and ensure the safe operation of medical devices.
The experts also called for legal protections for ethical hackers who play a vital role in identifying vulnerabilities in medical devices. Strengthening legal safeguards for ethical hacking practices could help uncover critical security flaws and mitigate potential risks to patient safety.
Overall, the testimonies provided valuable insights into the challenges facing medical device cybersecurity and underscored the need for continued investments in cybersecurity resources and expertise. As the healthcare sector grapples with evolving cybersecurity threats, it is essential to prioritize the protection of medical devices and ensure the safety and security of patients and healthcare infrastructure.