[{"_1":2,"_87":-5,"_88":-5},"loaderData",{"_3":4,"_26":27},"root",{"_5":6,"_17":10,"_18":19,"_20":21,"_22":10,"_23":-5,"_24":-5,"_25":10},"user",{"_7":8,"_9":10,"_11":10,"_12":-5,"_13":-5,"_14":15,"_16":-5},"roles",[],"isAuthenticated",false,"isPremium","planName","subscriptionStatus","featureFlags",{},"insightsBudget","isDevelopmentHost","userPreferences",{},"recaptchaSiteKey","6LcvOJcUAAAAAHsB-gPGfGktcRlKpH7OTIU_dMTD","isImpersonating","impersonation","affiliateStatus","isFreedomPortal","routes/v2/article/layout",{"_28":29,"_30":31},"notFound",true,"relatedArticles",[32,75],{"_33":34,"_35":36,"_37":38,"_39":40,"_41":42,"_43":44,"_45":46,"_47":48,"_49":50,"_51":52,"_53":54,"_55":56,"_57":58,"_59":60,"_61":62,"_63":64,"_65":66,"_67":68,"_69":70,"_71":72,"_73":72,"_74":72},"mediaId",6084378,"mediaKeyId","2916464-afd1ea5a087a89f17f5de8488011b161","parentId",2916464,"title","Experts and members warn HHS workforce cuts could weaken FDA oversight of device cybersecurity","audioSeconds",5208,"startMs",1380000,"endMs",6588000,"viewUrl","/Search/View?dp=1&key=2916464-afd1ea5a087a89f17f5de8488011b161&start=1380&end=6588","thumbnailUrl","https://assets.pipeline.soar.com/2916464-afd1ea5a087a89f17f5de8488011b161/thumbnail_1380000.jpg","articleUrl","/articles/6084378/Experts-and-members-warn-HHS-workforce-cuts-could-weaken-FDA-oversight-of-device-cybersecurity","mediaUrl","https://secure.pipeline.soar.com/6084378-d7e2693c77b5afd770c2045c60fa7c3f/orig.mp4?Expires=1770920215&Signature=UFNBHKAX5MXvaDzW0LgOcguVBA2my-wIEHTMkph4f90iPe2~r0cVWEADGaSMIDV-YlDY9dHKYsS3mBfi7mOt0MZXFrE2QU~MavCNsPyIy1jpTXYpOFYdLusogTLdDrfB7fIJrRz-tsfuejwnGD2kAk-W5GTyqy-p7fLR1DZiXHtpeY7rWn6K9R3v0YhsEqyuSqQy0gm1zb7eVtbVMeiFpYy0KtxQMPrLVPhsULdIttpGKGReqAVPlcjxBYFEarDljyU8KRYsSpX5UrSDySuhr9sxvVwPbFsj-Su0RCYs6nFSdmr5h26-lGVONUwF614OPoUIEiqkV6wMQkmvcyf3Sg__&Key-Pair-Id=KUT5TJCACFTXG","author","U.S. House Committee on Energy and Commerce","date","2025-04-01T00:00:00Z","article","Members of the House Energy and Commerce Subcommittee pressed witnesses that reductions to HHS and FDA staffing could undermine federal oversight of medical devices and the nation's ability to detect and mitigate cybersecurity risks.

Multiple members cited the administration's announced plan to cut 20,000 positions across HHS and the prospect of removing roughly 3,500 FDA staff, and asked witnesses whether such reductions would affect device safety work. \"I'm deeply alarmed by the Trump administration's announcement that the Department of Health and Human Services is DOSH's next target,\" Ranking Member Clark said during opening remarks, criticizing planned workforce reductions and calling for oversight.

Witnesses with direct FDA experience said the agency's specialized cyber subject‑matter experts play a central role in both premarket guidance and postmarket incident response. Dr. Kevin Fu, who previously led medical device security work at FDA, warned of capacity shortfalls: \"If you lose 1, you're probably going to have a much harder time responding to simultaneous threats, which seem to be a natural course of the future. If you lose 2, we might just not have a response.\" He told the committee those cybersecurity staff are not interchangeable with routine reviewers because they coordinate vulnerability disclosures, liaise with manufacturers and law enforcement, and evaluate emergent technical threats.

Dr. Christian Dameff and Eric Decker said FDA's role is one leg of a three‑way partnership with manufacturers and health care delivery organizations. Decker said weakened federal capacity would hamper cross‑sector coordination and recommended reconstituting advisory constructs that facilitate protected industry‑government collaboration, such as critical infrastructure policy advisory committees.

Why it matters: Members and witnesses said losing institutional memory and specialized technical staff at FDA would slow premarket clarity and postmarket incident management, which could delay safe products reaching patients and lengthen response times for emergent vulnerabilities. Several lawmakers asked the committee to demand answers from the administration about firings, rehiring, and the status of positions central to device security.

Requests and next steps: Committee Democrats repeatedly urged immediate oversight and a briefing from HHS on the restructuring plan, and several witnesses recommended reestablishing formal public‑private advisory forums and expanding resources for FDA cybersecurity staff. The subcommittee concluded by directing members to submit written questions for the record and soliciting follow‑up responses from witnesses.","mediaType","Video","parentTitle","O&I Hearing: Examining Cybersecurity Vulnerabilities in Legacy Medical Devices","oneSentenceSummary","Committee members and witnesses told the House subcommittee that proposed HHS and FDA staff reductions risk eroding the agency's ability to perform premarket review and postmarket cybersecurity oversight for medical devices, potentially harming patient safety and slowing innovation.","taxTitle","Energy and Commerce: House Committee, Standing Committees - House & Senate, Congressional Hearings Compilation, Legislative, Federal","taxId",1824,"location","","headline","shortSummary",{"_33":76,"_35":36,"_37":38,"_39":77,"_41":78,"_43":79,"_45":80,"_47":81,"_49":82,"_51":83,"_53":84,"_55":56,"_57":58,"_59":85,"_61":62,"_63":64,"_65":86,"_67":68,"_69":70,"_71":72,"_73":72,"_74":72},6084383,"Witnesses warn legacy medical devices create ongoing cybersecurity risks to patient care",4566,1137000,5703000,"/Search/View?dp=1&key=2916464-afd1ea5a087a89f17f5de8488011b161&start=1137&end=5703","https://assets.pipeline.soar.com/2916464-afd1ea5a087a89f17f5de8488011b161/thumbnail_1137000.jpg","/articles/6084383/Witnesses-warn-legacy-medical-devices-create-ongoing-cybersecurity-risks-to-patient-care","https://secure.pipeline.soar.com/6084383-a87eb58a27c70ab8f79b7b0bc6d23237/orig.mp4?Expires=1770920215&Signature=WoAociCp03J8Et8OFmyJI9MVy2mIjUrv8bltMbysetNAurZv~KKe2sxYoXqG3oGET0WIuQ6gEUXu87piNLxDNCbZ516wqWlSF7sqqQ64VpC~UMsW7e71R9i1igpfjSOHeR8OLfjzzgQIeNcIgrLSmDkqFIx-FBRDruKeFPq5p-TSCp8XoYLgthVeTNmAQ5hpb0jiu8eIrsrl2tZ07hssi55R5hspUlPg4ks8wE7IYcT3yEZ88ZCksYWOXaHXw~rJlJFiJchrpAWzWuCfZDVfs3s~eQ~OX1-g1s7qqG42TPo5PCwgbPCk1qaxplJw8Ajevk~DDU9gZ59Fs8wBenuPkw__&Key-Pair-Id=KUT5TJCACFTXG","A House Energy and Commerce Subcommittee hearing on aging medical technology heard experts say legacy medical devices — equipment that cannot be reasonably protected against current cybersecurity threats — pose an ongoing risk to patient safety and health-care operations.

Witnesses told the Subcommittee on Oversight and Investigations that medical devices are increasingly computer-based, often run on unsupported software, and can remain in hospitals for a decade or more, creating widespread exposure when vulnerabilities are discovered. \"Medical devices are miraculous,\" said Dr. Christian Dameff, co‑director of the UC San Diego Center for Healthcare Cybersecurity. \"At their core, many modern medical devices are just computers. And this means there will be unavoidable flaws in software and hardware.\"

The concern is not limited to large hospitals. \"The financial and operational stress that rural and critical access hospitals are currently under means they are unable to invest in the latest generation of medical devices,\" Dameff added, describing hospitals that keep devices running with parts purchased on secondary markets.

Why it matters: Witnesses said vulnerabilities can do more than expose data; they can degrade clinical monitoring or disrupt care delivery if exploited or if a networked system is taken offline. Dr. Kevin Fu, professor of electrical and computer engineering at Northeastern University, framed the problem bluntly: \"Legacy medical device security is spoiled milk, not fine wine. It does not age gracefully.\" He said some devices are effectively \"insecureable\" because their software cannot be patched.

What the panel recommended: Multiple witnesses urged federal‑private collaboration and concrete steps to reduce risk:
- National healthcare dependency mapping to identify critical device, vendor and network interdependencies (Dr. Dameff, Greg Garcia).
- Legal protections and permanency for coordinated security research (Dameff urged making DMCA exemptions for medical device research permanent).
- Wider adoption and promotion of sector guidance such as the Health Industry Cybersecurity Practices and the Cybersecurity Performance Goals (Eric Decker, Intermountain Healthcare; Greg Garcia, Health Sector Coordinating Council).
- Investment in force‑multiplying technologies and programs such as ARPA‑H pilot efforts to automate remediation for legacy devices (Dameff cited ARPA‑H's universal patching work).

Panelists described the operational barriers to quick fixes. Michelle Jumps, chief executive officer of MedSec, noted the mismatch between device lifecycles and software support: \"Medical devices used in clinical environments [can remain] 10, 15, or 20 years, but their underlying software components may only be supported for a fraction of the time.\" Eric Decker emphasized the practical constraints on patching: clinical testing and quality checks can delay or limit the deployability of device updates.

Several witnesses called for clearer incentives to help under‑resourced hospitals implement best practices. Decker pointed to HICCUP (the Health Industry Cybersecurity Practices) and the statutory recognition of those practices as a step toward incentives, and urged additional support targeted at small and rural providers.

Closing: Witnesses agreed the problem will persist as long as devices remain in clinical use longer than their software support and hospitals lack resources to replace or defend them. But they offered a mix of technical, regulatory and financial steps to reduce risk, including expanded public‑private intelligence sharing, workforce development, and targeted funding or reimbursement incentives to help providers update or better secure aging devices.","Experts at a House Energy & Commerce subcommittee hearing said medical devices with outdated software and long hardware lifespans create persistent cybersecurity vulnerabilities, urged national mapping, clearer incentives and more resources for hospitals and FDA to manage risks.","actionData","errors"]

Article not found

Experts and members warn HHS workforce cuts could weaken FDA oversight of device cybersecurity

Witnesses warn legacy medical devices create ongoing cybersecurity risks to patient care