Medical device cybersecurity at risk as HHS faces staffing cuts
WASHINGTON D.C., UNITED STATES — In a turn of events, the House Energy and Commerce subcommittee hearing on the safety of legacy medical devices became a platform for Democrats to protest deep staffing cuts at the United States Department of Health and Human Services (HHS).
The layoffs, which include 3,500 Food and Drug Administration (FDA) employees, have sparked fears of compromised cybersecurity oversight, as experts warn of the potential risks from outdated medical technology and inadequate monitoring systems.
Impact of staffing cuts on cybersecurity
HHS and FDA job cuts generate serious concerns about lost cybersecurity expert talent. Kevin Fu, a professor at Northeastern University, along with his role as the FDA’s acting medical device cybersecurity director, called this professional loss “tremendous” because it is difficult to find experts with such skills.
CISO Erik Decker of Intermountain Health stated that the FDA serves as a fundamental cybersecurity partner, which could experience reduced capacity to conduct suitable initiatives.
The FDA, along with medical device manufacturers and hospitals, collaborates under the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) to address these challenges.
However, Decker highlighted that hospitals have implemented only about 55% of recommended cybersecurity practices for medical devices, leaving significant vulnerabilities unaddressed.
Cybersecurity challenges in healthcare
Medical devices present substantial cybersecurity risks to healthcare operations because the healthcare industry depends heavily on aging equipment. Congressman Gary Palmer R-AL stated that these essential healthcare devices, such as patient monitors and infusion pumps, require modern cyber protective measures, which they presently do not possess.
Decades pass before the hardware ages, but software technology ages dramatically faster, leading to difficulties with software updates as well as patches.
All panel participants confirmed the difficulty of cyber risk detection in medical devices because no suitable monitoring solutions exist.
According to Dr. Christian Dameff, hospitals may not uncover harmful software in medical devices, although there have been no recorded cases of public patient dangers from cyberattacks.
A forthcoming white paper from the HSCC will address the financial and staffing challenges in healthcare cybersecurity, highlighting the need for robust funding and staffing to mitigate these risks effectively.
