During a subcommittee hearing of the House Committee on Energy and Commerce , multiple members of Congress peppered five medical device cybersecurity expert witnesses with questions about how the firings will impact efforts to check the devices for cybersecurity protections before and after they are sold to hospitals. Fu later said that when he worked at the FDA in 2021 and 2022, it was a “skeleton crew” working on cybersecurity that was “already stressed.” Any firings would have a “tremendous negative impact on the cybersecurity of medical devices,” he told Congress, adding that efforts to respond to ransomware attacks and critical vulnerabilities would be impacted by staff reductions. Clarke noted that in February, the Trump administration fired hundreds of people from the FDA's Center for Devices and Radiological Health (CDRH) but has declined to say how many are involved in medical device cybersecurity. She said HHS has told Democratic lawmakers that medical device reviewers would not be impacted by the latest round of firings, but would not address the many other HHS employees who are not technically reviewers yet hold significant roles related to the cybersecurity verification process. As thousands were laid off from the Department of Health and Human Services on Tuesday morning, Congress held a hearing on medical device cybersecurity where experts raised concerns about the ramifications of the firings. “I have difficulty seeing how we have a hearing about how the FDA should approach legacy medical device cybersecurity without first addressing the fact that the Trump administration and DOGE are dismantling the very agency responsible for medical device safety,” said Rep. Kevin Fu, a witness on the panel who previously served as the first acting director of medical device security at CDRH, spoke at length about the dangers of not sufficiently vetting all medical devices — citing his decades of research into cyberattacks on everything from implantable defibrillators to patient monitors. Ocasio-Cortez noted during her questions that medical device firms, hospitals and the federal government have all called for more cybersecurity-focused employees at the FDA to help move along devices they wanted to release. Termination letters were sent out and the Trump administration said it plans to cut at least 10,000 staff from several arms of HHS — including the Food and Drug Administration (FDA), which manages medical device cybersecurity efforts. A 2022 bill mandated that medical device manufacturers abide by new cybersecurity rules and submit devices for verification by the FDA. Clarke and several other members of Congress warned that the firings would stymie this process, hampering efforts to release new, innovative medical devices and potentially damage work done to monitor new issues found in already-released devices. Fu’s office worked with manufacturers to review devices and make sure security was baked in by design, with his team eventually creating regulator guidance for cybersecurity.
This Cyber News was published on therecord.media. Publication date: Tue, 01 Apr 2025 20:40:10 +0000