Experts Warn of Cybersecurity Risks from HHS Workforce Cuts During Congressional Testimony
During a recent Congressional hearing, leading experts expressed concerns about significant workforce reductions at the U.S. Department of Health and Human Services (HHS), particularly at the Food and Drug Administration (FDA). They warned that these cuts could obstruct vital efforts in medical device cybersecurity, endangering patient safety and stifling technological innovation.
The hearing, conducted by the House Energy and Commerce Committee Subcommittee on Oversight, probed into the cybersecurity risks associated with medical devices, focusing on both legacy systems and emerging technologies entering the regulatory review process.
In December 2022, legislation was enacted to enhance the FDA’s jurisdiction over the cybersecurity of medical devices, obligating the agency to assess the cybersecurity of new and modified devices during pre-market approval processes. Michelle Jump, CEO of the security consulting firm MedSec, highlighted the FDA’s progressive stance on cybersecurity but noted this advancement could be jeopardized by the impending staff reductions at the FDA.
HHS announced last week that the FDA is set to reduce its workforce by approximately 3,500 employees as part of a broader plan to cut 20,000 positions across the agency. While officials stated that roles related to drug and medical device reviews would remain intact, the lack of clarity around which specific positions would be affected raises alarms about the agency’s capacity to manage cybersecurity assessments effectively.
Kevin Fu, a professor at Northeastern University specializing in medical device cybersecurity, testified that any cuts to the FDA review staff would profoundly impact cybersecurity oversight, complicating both pre-market and post-market management efforts. Fu, who previously served as the acting director of medical device security at the FDA, emphasized the critical nature of subject matter experts in addressing vulnerabilities and responding to cyber threats.
The testimony underscored widespread concerns regarding older, unsupported medical devices that pose security challenges, potentially jeopardizing both patient safety and the integrity of interconnected healthcare IT systems. Dr. Christian Dameff, co-director of the UC San Diego Center for Healthcare Cybersecurity, stressed the urgency of understanding the scope and security of these legacy devices, which remain prevalent across healthcare infrastructures.
Furthermore, Dameff advocated for stronger legal protections for ethical hackers investigating medical device cybersecurity, noting their role in identifying significant vulnerabilities that could endanger patient safety. The lack of visibility into the number and location of legacy devices, such as the CMS8000 patient monitor, complicates efforts to secure these systems effectively.
The ongoing workforce cuts are not the sole challenge for the medical device cybersecurity field. Erik Decker, CIO of Intermountain Healthcare and a former co-chair of the Health Sector Coordinating Council, pointed out that the recent disbandment of key advisory committees has removed vital forums for discussing cybersecurity challenges among stakeholders in critical infrastructure sectors. According to Decker, reestablishing these committees is essential for coordinating efforts to safeguard sensitive vulnerabilities in the healthcare ecosystem.
