Share this article on:
The U.S. Food and Drug Administration (FDA) has announced the appointment of University of Michigan associate professor Kevin Fu as its first director of medical device security.
Fu will serve a one-year term as acting director of medical device security at the FDA’s Center for Devices and Radiological Health (CDRH) and the recently created Digital Health Center of Excellence, starting on January 1, 2021. Fu will help “to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.”
Fu will help to develop the CDRH cybersecurity programs, public-private partnerships, and premarket vulnerability assessments to ensure the safety of medical devices including insulin pumps, pacemakers, imaging machines, and healthcare IoT devices and protect them against digital security threats.
Fu has considerable experience in the field of medical device cybersecurity. Fu currently serves as chief scientist at the University of Michigan’s Archimedes Center for Medical Device Security, which he founded, he co-founded the healthcare cybersecurity startup Virtua Labs with his doctoral students and was previously a member of the National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board. Fu has also conducted research into software radio attacks on implantable medical devices such as pacemakers and cardiac defibrillators and demonstrated how off-the-shelf radio software could be used to access the devices and intercept communications. Fu is currently associate professor of electrical engineering and computer science and the Dwight E. Harken Memorial Lecturer and will retain those University of Michigan roles.
Securing medical devices is a major challenge. Huge numbers of medical devices are now used by hospitals in complex interconnected networks. Many hospitals do not have complete inventories of their devices, and since many run on legacy systems, vulnerabilities can easily go unaddressed. Those vulnerabilities could be exploited by cyber threat actors to cause harm to patients or to gain a foothold in healthcare computer networks.
As Fu explained in an interview recently published on Michigan News, the threat landscape has changed dramatically over the past decade. “Today, there are many more adversaries that are mounting attacks. A decade ago, it was very theoretical. But now you have hundreds of hospitals literally shut down because of ransomware. And new security vulnerabilities are identified in medical device software almost every day,” said Fu. “We need to be vigilant in making sure that all of our medical devices have a basic level of security built in. Medical devices must remain safe and effective despite cybersecurity risks.”
Medical devices need to have privacy and security measures incorporated early in the design process, rather than being bolted on after the devices have been developed. By that time, security flaws have been baked into the devices and they are much harder to address.
Unfortunately, all too often, medical device manufacturers do not seek input from security experts during the design of medical devices and fail to design the devices based on established computer security engineering principles. That is something that needs to change. “You can’t simply sprinkle magic security pixie dust after designing a device,” said Fu.
“Right now, though, I’m focused on medical device safety,” explained Fu. “I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.”