Cybersecurity News

FDA Names First Acting Director of Medical Device Cybersecurity

Kevin Fu, an associate professor at the University of Michigan, will become the FDA’s first acting director of medical device cybersecurity.

medical device cybersecurity FDA acting director

By Jessica Davis

- The Food and Drug Administration recently named Kevin Fu as the agency’s first Acting Director of Medical Device Cybersecurity in its Center for Devices and Radiological Health.

Fu is an associate professor of electrical engineering and computer science at the University of Michigan and a Dwight E. Harken Memorial Lecturer. He’s also the founder and chief scientist of the Archimedes Center for Medical Device Security. He’ll maintain these roles, as he leads the FDA effort.

The newly created position is designed as a 12-month post, which began on January 1, 2021. Fu will lead the FDA’s ongoing efforts to ensure the safety and effectiveness of medical devices, including pacemakers, insulin pumps, hospital imaging machines, and other electronic devices.

Fu is tasked with working to bridge the gap between medicine and computer science, as well as supporting manufacturers in protecting medical devices from digital security threats.

Medical device security is a massive challenge for the majority of healthcare organizations. Troves of connected medical devices, incomplete inventories, and a heavy reliance on legacy platforms have left many entities vulnerable to attacks.

What’s worse, nation-state actors and other cybercriminals have launched multiple campaigns that target these weaknesses, which has become a serious risk to patient safety.

Those challenges have compounded amid the rapid adoption of devices used for the COVID-19 response, according to a recent Masergy report, sponsored by Fortinet.

“With the surge of remote healthcare and increased use of IoMT devices, there are more connected devices, cloud-based applications, and cloud platforms and services driving healthcare operations than ever,” researchers wrote, at the time.

“This poses increased security risks, including anything from data breaches to phishing and malware attacks,” they added. “Ensuring continued healthcare security and data privacy is just as critical as ever.“

Security researchers have repeatedly stressed the need for collaboration across all industry stakeholders to combat these risks and bolster resources for those struggling to close these gaps.

The FDA has recognized these challenges, providing a medical device playbook in 2018 meant to support manufacturers, developers, and providers better secure connected devices. It’s resulted in an increase in reported vulnerabilities, which is much needed to tackle these risks.

As the first acting director of medical device cybersecurity, the needed collaboration and shift into a stronger medical device infrastructure could be within reach.

To Fu, manufacturers need to better understand the need to build cybersecurity into the design of devices. To get there, engineers, patients, clinicians, and legal experts need to be brought to the table during the design process.

The other challenge is that medical devices rely on complicated software systems, which don’t always follow much needed privacy and security standards. Fu stressed that there needs to be stricter requirements for medical device design.

“You can’t simply sprinkle magic security pixie dust after designing a device,” Fu explained to the University of Michigan. “Whether for manufacturers of the Internet of Things or medical devices, we’re not providing the necessary level of security engineering training that companies need.” 

“Right now, though, I’m focused on medical device safety,” Fu concluded. “I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.”