Lawmakers warn of impact HHS firings will have on medical device cybersecurity efforts

As thousands were laid off from the Department of Health and Human Services on Tuesday morning, Congress held a hearing on medical device cybersecurity where experts raised concerns about the ramifications of the firings. 

Termination letters were sent out and the Trump administration said it plans to cut at least 10,000 staff from several arms of HHS — including the Food and Drug Administration (FDA), which manages medical device cybersecurity efforts.

During a subcommittee hearing of the House Committee on Energy and Commerce , multiple members of Congress peppered five medical device cybersecurity expert witnesses with questions about how the firings will impact efforts to check the devices for cybersecurity protections before and after they are sold to hospitals.

“I have difficulty seeing how we have a hearing about how the FDA should approach legacy medical device cybersecurity without first addressing the fact that the Trump administration and DOGE are dismantling the very agency responsible for medical device safety,” said Rep. Yvette Clarke (D-NY).

Clarke noted that in February, the Trump administration fired hundreds of people from the FDA's Center for Devices and Radiological Health (CDRH) but has declined to say how many are involved in medical device cybersecurity. 

She said HHS has told Democratic lawmakers that medical device reviewers would not be impacted by the latest round of firings, but would not address the many other HHS employees who are not technically reviewers yet hold significant roles related to the cybersecurity verification process. 

HHS did not respond to requests for comment. 

A 2022 bill mandated that medical device manufacturers abide by new cybersecurity rules and submit devices for verification by the FDA. 

Clarke and several other members of Congress warned that the firings would stymie this process, hampering efforts to release new, innovative medical devices and potentially damage work done to monitor new issues found in already-released devices. 

“Any progress FDA was making for cybersecurity reviews would be erased. The agency will have lost the people in need to carry out fully informed cybersecurity reviews and devices and patient security suffer as a result. This chaos is totally unnecessary,” she said. 

Kevin Fu, a witness on the panel who previously served as the first acting director of medical device security at CDRH, spoke at length about the dangers of not sufficiently vetting all medical devices — citing his decades of research into cyberattacks on everything from implantable defibrillators to patient monitors. 

Fu’s office worked with manufacturers to review devices and make sure security was baked in by design, with his team eventually creating regulator guidance for cybersecurity. His team also handled vulnerability reports from researchers as well as ransomware incident documents from law enforcement and hospitals.  

In 2024 alone, the FDA cleared or approved 33 medical devices and regulated more than 6,000 types of medical devices, according to Rep. Alexandria Ocasio-Cortez (D-NY). 

Fu argued that more funding at the FDA is needed to hire more people focused on medical device security, telling Congress that cybersecurity staff at the FDA “are crucial to national security.”

“The loss of capacity at FDA would seriously hinder national readiness to respond to emergent threats posing risks to national security,” Fu said. “In my opinion, if two cybersecurity incidents were to occur simultaneously, at present staffing levels as of yesterday, it's unlikely the FDA would be able to meet its congressionally mandated duties to ensure the availability of safe and effective medical devices.”

Fu later said that when he worked at the FDA in 2021 and 2022, it was a “skeleton crew” working on cybersecurity that was “already stressed.” Any firings would have a “tremendous negative impact on the cybersecurity of medical devices,” he told Congress, adding that efforts to respond to ransomware attacks and critical vulnerabilities would be impacted by staff reductions. 

He added that it will be difficult to replace the expertise of those being fired, many of whom have specialized experience in cybersecurity, healthcare, business and other fields. 

As an example, Fu said when he was in his role at FDA, he saw the first case of patient harm caused by ransomware. 

“This ransomware had infected the private cloud of a radiation therapy device company. I believe it was marketed to be able to have an uptime loss of no less than two hours a year, but it was down for six weeks because of ransomware,” he said.

“Having those subject matter experts as that interstitial tissue to connect with all the groups was extremely important to rectify that situation and get these devices back.”

Ocasio-Cortez on Musk’s Neuralink

Ocasio-Cortez noted during her questions that medical device firms, hospitals and the federal government have all called for more cybersecurity-focused employees at the FDA to help move along devices they wanted to release. 

She focused her ire on Tesla CEO Elon Musk, who has taken on an outsized role in the federal government as head of the Department of Government Efficiency (DOGE).

In February, Musk fired more than 700 FDA employees, including about 200 specifically from the CDRH. But Musk quickly scrambled to rehire some of the employees and specifically brought back the medical reviewers of Neuralink, a neurotechnology company he founded, Ocasio-Cortez said.

“They reinstated scientists that were reviewing his Neuralink device. Neuralink is a brain computer interface chip surgically implanted to the brain that Elon Musk has in front of the FDA,” she explained. 

“This kind of technology deserves secure safeguards and testing done by employees that aren't being held hostage right now. In fact, employees at the CDRH are reviewing Neuralink right now, and we're looking at this pattern of Elon Musk with other agencies.”