The U.S. Food and Drug Administration (FDA) is facing considerable cuts in the face of agency workforce reductions. The FDA could lose up to 3,500 jobs, and there will be consequences that impact medical device cybersecurity oversight.
In a recent House hearing on cybersecurity threats, lawmakers and experts discussed the potential impact of fewer FDA employees and how this could imperil medical device cybersecurity oversight. These risks and threats were a priority of the agency, defined specifically in the agency’s 2023 guidance.
Healthcare Remains a Cyber Target
Healthcare has long been a favorite for hackers. In 2024, 92% of healthcare organizations experienced a cyberattack. As an industry always under heightened risk and obligated to meet regulatory requirements, healthcare needs the support of robust cybersecurity oversight.
The specific vulnerabilities of medical devices, both premarket and after approval, are broad. The most common include:
- The introduction of AI and need for governance
- Requirements related to keeping software updated after the identification of vulnerabilities
- Dealing with legacy systems
- Continuous monitoring of devices for unauthorized access
The agency and stakeholders, including device manufacturers and the providers who use them, had a type of coalition to address cybersecurity. Without these jobs, the agency’s contribution lessens. The subject matter experts have specialized skills and knowledge, which aren’t easily replaceable or something we can do without.
If simultaneous large-scale attacks occurred right now, the response would be slow. It would be difficult for the FDA to serve as the organization that ensures medical devices are safe and secure.
The argument for dismissing these FDA specialists is that other federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) already exist. That’s true, but it’s another group facing massive cuts. Additionally, CISA officials aren’t healthcare-specific; they are responsible for cybersecurity across all industries and categories.
The Impact on Device Reviews
The FDA must still be the body that reviews premarket submissions and grants approval. It was already a complex process. Of the 3,500 positions eliminated, 200 were device staff. Expect much longer review times, which will have a ripple effect on go-to-market strategies.
The most important group within the FDA for approvals is the Office of Product Evaluation and Quality (OPEQ). Its director was part of the layoffs, which could make regulators still in the FDA hesitant to do anything but rubber-stamp submissions. There’s also the fear that this will cause institutional knowledge gaps that could stifle innovation. Some other potential impacts include:
- Less back-and-forth between manufacturers and reviewers—don’t expect clarification from the FDA should your premarket submission get kicked back
- Limited or no guidance on new technology breakthroughs (although, the FDA did issue draft guidance for AI governance in medical devices, but it received a lot of pushback)
- Little pre-submission engagement, which has helped ensure premarket documentation is sufficient
That’s not the win for manufacturers that some may think. These companies want their devices to be secure and meet or exceed standards. They do employ their own cybersecurity experts or work with third-party consultants. Getting the product to market is the goal. However, for it to be adopted for use and remain so, it must be safe and secure.
Remaining Steadfast in Combatting Medical Device Cybersecurity Risk
Even if the agencies regulating medical device cybersecurity seem to be in chaos, manufacturers and the healthcare community must continue emphasizing and prioritizing being secure by design. In addition, they should ensure cybersecurity proactive initiatives like penetration testing and vulnerability assessments stay in place.
Do you have questions about the FDA and medical device cybersecurity? We’re here to help. Contact us today.