Insufficient funding and a lack of trained personnel at the U.S. Food and Drug Administration (FDA) may be adversely impacting the agency’s ability to thoroughly assess the security of medical devices against cyberattacks.
That’s the takeaway from an article posted to the website of MedTechDive. While acknowledging that a draft FDA guidance released earlier this year details the cybersecurity information that manufacturers should supply with their devices in support of the agency’s pre-market review process, it notes that many manufacturers view the guidance as optional.
Further, according to some industry experts quoted in the article, devices are being approved by the FDA despite the failure of manufacturers to submit any relevant information about cybersecurity risks and measures they have taken to minimize those risks.
According to the article, the FDA has requested an additional $5.5 million in funding for fiscal year 2023 to develop a more robust program to assess cybersecurity risks in medical devices. Part of the funding would be directed to hiring additional staff that focuses specifically on medical device cybersecurity. But some experts quoted in the article believe that, even with the additional funding, the FDA will still be insufficiently staffed to ensure the thorough review of medical devices for issues related to cybersecurity.