Skip to Main Content

FDA Requests Additional Funds to Bolster Cybersecurity

FDA’s FY 23 budget request asks for additional funds to build upon IT modernization and align cyber practices.

5m read
Written by:
image of photo of hands holding pencil and pressing calculator buttons over documents
Photo Credit: Pressmaster/Shutterstock

The Food and Drug Administration (FDA) addresses critical cybersecurity, data and technology modernization initiatives in its FY 2023 budget request, which could help the agency keep pace with the speed of innovation.

As part of the agency’s March 2022 budget request, FDA asked for $8.4 billion, a nearly 34% increase over its FY 2022 appropriated funding level. The additional funds would be used to invest in public health modernization, food safety and medical product safety programs and other public health infrastructure.

“This funding will expand and modernize the FDA’s regulatory capacity, information technology, and laboratory infrastructure, including strengthening the personal protective equipment supply chain by building analytics and creating predictive modeling capabilities,” an FDA spokesperson told GovCIO Media & Research.

An integral part of FDA’s day-to-day operations lies in the agency’s IT infrastructure. The agency’s Technology Modernization Action Plan (TMAP) and Data Modernization Action Plan (DMAP) serve as the FDA’s foundation to fully integrate smarter data and IT management throughout the agency.

Since launched, these plans have helped bring more effective and efficient data and IT management to streamline and advance FDA’s operations by reducing duplicative processes, implementing technological efficiencies and promoting shared services within agency offices.

“One of the most important lessons learned was the need to modernize the technology and scientific infrastructure that enables FDA’s experts to do their work,” FDA’s commissioner Robert Califf said during a Subcommittee on Agriculture, Rural Development, Food and Drug Administration, and Related Agencies hearing to review FDA’s FY 23 budget.

FDA has requested approximately $42 million above the FY 2022 enacted level for agency-wide investments in centralized data modernization. Without additional funds to modernize its data systems, FDA would still have to rely on legacy systems that cannot integrate with more current systems, resulting in delays and challenges leveraging new data-rich capabilities like machine learning (ML) and artificial intelligence (AI).

“Data is used to support every decision the FDA makes, and modern computation holds the key to efficiency and effectiveness,” Califf said. “The technology and data systems are not of the quality we need for us to fully facilitate innovation in the rapidly moving industry.”

By embracing the full array of data science, advanced statistics, machine learning and artificial intelligence, FDA inspectors and reviewers would be able to prioritize efforts and reduce manual workloads.

“This will not only enable our workforce to be more efficient, but also will make their jobs more interesting and this is a win-win,” Califf said. “We’ve got to put money into technology that allows our workforce to get more done more intelligently using computational and artificial intelligence.”

In addition to data modernization, FDA has requested additional funds to bolster its cybersecurity posture, following President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which tasks agencies to adopt baseline standards to proactively combat cyber threats, such as zero trust architectures.

FDA asked for $5 million to fund new dedicated resources for a cybersecurity program, which would allow FDA to hire additional staff to recruit and develop greater cyber expertise within the devices program, as well as administer grants and contracts to develop infrastructure geared towards addressing emerging cybersecurity challenges.

“Cybersecurity exploits are one of the most substantial threats faced by this nation, and the impact could be particularly harmful for our health care system, where vulnerabilities could compromise entire hospital systems or disrupt manufacturing of countless devices,” Califf said. “Funds for our device cybersecurity initiative will be used to help address risks associated with legacy devices… and rapidly address new medical device vulnerabilities.”

FDA’s Center for Devices and Radiological Health (CDRH) used previous funds from Congress to conduct critical activities including serving as the government lead for public private partnerships on legacy devices and vulnerability communications, as well as working to update guidance and support incident response activities associated with cyber challenges that can impact patient safety.

FDA is taking steps to help build on the work that the Devices Program and FDA stakeholders have already achieved that include:

  • Working with the Patient Sciences and Engagement program, which developed a paper on updated, more effective and more comprehensive strategies for communicating cybersecurity vulnerabilities to patients,
  • Funding a series of threat modeling bootcamps, in addition to a threat modeling playbook, to assist and train industry on threat modeling for cybersecurity risks in the medical device sector,
  • A collaboration with the MITRE to develop a supplemental rubric for the Common Vulnerability Scoring System (CVSS) that could be used as a medical device development tool (MDDT) by industry to characterize and assess the severity of cybersecurity vulnerabilities,
  • Updating the premarket guidance on medical device cybersecurity to better protect against moderate risks, such as ransomware campaigns that could disrupt clinical operations and delay patient care, and major risks such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack,
  • Collaborating with industry on cybersecurity challenges such as legacy medical devices and vulnerability communications via the Healthcare and Public Health Sector Coordinating Council (HSCC) public-private partnership,
  • Aiding in the amplification and convergence of international cybersecurity best practices as co-chair of the International Medical Device Regulators Forum.

“The agency’s approach to enterprise technology, data and cybersecurity will increase opportunities for efficiencies and resource management to support critical funding needs in other priority areas,” FDA’s spokesperson said. “Data and people power all our work. We are accelerating our enterprise technology and data modernization: driving long-term change to lead a data-driven, secure and a more technologically seamless FDA.”

Related Content