FDA, OIG Request Cybersecurity Investments in FY 2023 Budget

March 30, 2022 - The Biden Administration announced its FY 2023 budget proposal, which contains increased investments in cybersecurity across critical infrastructure.

“The Budget invests in cybersecurity programs to protect the Nation from malicious cyber actors and cyber campaigns,” the proposal stated.

For example, the budget will provide the Cybersecurity and Infrastructure Security Agency (CISA) with $2.5 billion to “maintain critical cybersecurity capabilities.”

In addition, the proposal emphasized the importance of IT infrastructure by funneling billions into IT modernization and growing the IT and cybersecurity workforce.

The Federal Drug Administration (FDA) and HHS’ Office of Inspector General (OIG) each released budget requests, outlined below, underscoring their intentions to improve healthcare cybersecurity.

FDA Focuses on Medical Device Security in FY 2023 Budget

The FDA is requesting a total of $8.4 billion in the President’s FY 2023 budget. Along with a focus on pandemic preparedness and food safety and nutrition modernization, the FDA plans to put additional resources toward medical device security.

Specifically, the FDA’s budget proposal allocated $5 million in additional funding toward improving the safety and security of medical devices.

“Developing a more comprehensive cybersecurity program for medical devices will help to identify and mitigate vulnerabilities that could compromise medical systems or disrupt device manufacturing or consumer use, placing national security at risk,” the proposal stated.

“Dedicated base funding for a cybersecurity program will allow for FDA to hire additional staff to recruit and develop greater cyber expertise within the devices program, as well as administer grants and contracts to develop infrastructure geared towards addressing emerging cybersecurity challenges.”

Healthcare organizations have consistently faced medical device security challenges due to the prominence of out-of-date legacy devices and a lack of visibility into the number of devices on their networks.

OIG Budget Focuses on Reducing Cyber Incident Backlog

OIG requested a total budget of $453.8 million to oversee HHS programs. Within that amount, OIG plans to invest $20 million in cybersecurity improvements and information blocking enforcement.

“This funding will be dedicated to cybersecurity and digital technology expansion, which will provide vital resources to hire specialized personnel from a competitive cybersecurity job market, increase OIG’s cybersecurity efforts, support needed expansions in digital technology, modernize OIG’s IT infrastructure, and further promote an AI-ready workforce,” the request stated.

“HHS and the health care industry face significant cybersecurity risks that OIG oversight and enforcement work will help mitigate.”

OIG’s priority outcomes include reducing the backlog of HHS cybersecurity incident reports that have been open for 30 days or longer. The office said it would attempt to improve the closure rate of new cybersecurity incidents to 30 days or less.

The FDA and OIG both chose to prioritize healthcare cybersecurity in their budget requests, addressing two of today’s most prominent issues—medical device security, and the sheer number of healthcare data breaches. Healthcare has long been a prime target for cyberattacks, and that is unlikely to change any time soon.

“On a daily basis, HHS systems and data, which are essential to performing mission-critical operations, are subject to thousands of cyberattacks,” OIG emphasized.