Governance, Risk and Compliance, Endpoint/Device Security, Security Architecture, Critical Infrastructure Security

FDA, OIG HHS budget requests focus on improving medical device security, infrastructure

The Biden administration’s budget proposal includes improving the safety of medical devices. Pictured: A biomedical equipment technician stands in a room full of ventilators on May 17, 2021, at David Grant USAF Medical Center on Travis Air Force Base, Calif. (Nicholas Pilch/Air Force)

The budget proposal announced by the Biden administration on Monday would support the Department of Health and Human Services, including the Food and Drug Administration, with a number of cybersecurity and modernization initiatives. Some of the requested funds will be directed to securing research data generated by the National Institutes of Health.

Specifically, the FDA is seeking a $5 million budget increase to improve the safety and security of medical devices, while HHS is requesting $20 million for cybersecurity improvements and info blocking enforcement activities.

The FDA intends to use the funds for the development of a “more comprehensive cybersecurity program for medical devices,” which includes determining the best ways to identify and mitigate vulnerabilities that could lead to hacked medical systems or disruptions with device manufacturing, “placing national security at risk.”

With funds dedicated to cybersecurity, the FDA intends to hire additional staff for recruiting and bolstering its cyber expertise within the device program, in addition to issuing “grants and contracts to develop infrastructure geared towards addressing emerging cybersecurity challenges.” The FDA hired its first acting director of medical device cybersecurity in early 2021.

FDA Commissioner Robert Califf, MD, explained the budget request will be critical to this year’s priorities and focused on the “most urgent needs” — including medical device security.

As the agency continues to assess its role in public health, the FDA is evaluating means to modernize evolving needs. Califf added that the “additional funding brings new ways to leverage opportunities to protect and advance the health of every American with reliable and science-based information.”

Health and Human Services OIG budget requests

Meanwhile, the HHS Office of the Inspector General issued its own congressional justification for its funding, which intends to use a “risk-assessment approach” to zero-in on initiatives with the “highest-impact oversight and enforcement opportunities” in the health and public health sectors. OIG also intends to use some funding for info blocking enforcement activities.

Accounting for about 23% of all federal expenditures, HHS is the largest federal department with a vast network of grantees, contractors and service partners. 

“The size and importance of HHS make it a prime target for cybersecurity attacks. On a daily basis, HHS systems and data, which are essential to performing mission-critical operations, are subject to thousands of cyberattacks,” according to the OIG report.

OIG plans to use $20 million of the $26.3 million budget increase to bolster cybersecurity and information blocking activities, which will include initiatives to expand cybersecurity and digital technology and provide “vital resources to hire specialized personnel from a competitive cybersecurity job market and increase OIG’s cybersecurity efforts.”

The report shows the funds will be directly used to strengthen the cybersecurity protection of HHS systems and data, including a reduction of the backlog of cybersecurity incidents reported at HHS that have been open for more than 30 days and improving the closure rate of new incidents within 30 days.

As it stands, an examination of HHS’ ongoing cybersecurity challenges showed plenty of room for improvement. OIG intends to support the agency with reducing department-wide vulnerabilities and improving response efforts, while engaging with HHS tech leaders, analyzing “cybersecurity-incident ticket data,” and developing quarterly reports.

OIG and Government Accountability Office audits of HHS and its many departments have consistently found a number of high-risk vulnerabilities, particularly around access management and other key security measures.

In the coming year, OIG intends to “perform preliminary tests to better understand the structure of cybersecurity incidents and confirm reasonable targets for the reduction of the ticket backlog and the closure rate of new incidents,” along with identifying strategies for HHS to implement to improve the response time to incidents.

The funds will also support the modernization of OIG’s IT infrastructure, as well as promote “an AI-ready workforce” and “pay for investigative and enforcement activities related to information blocking.” In light of the continued cybersecurity risks to the healthcare sector, the report stressed that OIG oversight has become paramount to reducing threats.

Notably, a portion of the funding will enable OIG to finish consolidating its legacy systems, as well as a number of modernization initiatives that include responding to and complying with the Biden administration’s cybersecurity initiatives.

“OIG understands the operational impacts that cyberattacks, such as denial-of-service attacks or breaches of protected personally identifiable information, can have on individuals, organizations, and the nation as a whole,” according to the report.

HHS will likely always be a prime target of cyberattacks, making the administration's cybersecurity initiatives imperative for the nation’s security. OIG notes that its efforts to modernize and secure its infrastructure will be shared with HHS.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.