Kevin Fu Appointed as First Director of Medical Device Security by FDA

University of Michigan associate professor Kevin Fu has been appointed by the U.S. Food and Drug Administration (FDA) as its first director of medical device security.

Mr Fu will be acting director of medical device security at the FDA’s Center for Devices and Radiological Health (CDRH) and the recently created Digital Health Center of Excellence for 12 months from January 1, 2021. It is hope that he can assist “to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.”

Fu will help to create the CDRH cybersecurity programs, public-private partnerships, and premarket flaw assessments to ensure the security of medical devices including insulin pumps, pacemakers, imaging machines, and healthcare IoT devices and protect them against Internet-based security threats.

Fu has significant experience in the arena of medical device cybersecurity. At present he serves as chief scientist at the University of Michigan’s Archimedes Center for Medical Device Security, which he helped to create founded, he co-founded the healthcare cybersecurity startup Virtua Labs with his doctoral students and was earlier a member of the National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board. Fu has also carried out research into software radio attacks on implantable medical devices such as pacemakers and cardiac defibrillators and showed how off-the-shelf radio software could be leveraged to access the devices and intercept communications. Fu is currently associate professor of electrical engineering and computer science and the Dwight E. Harken Memorial Lecturer and will continue in those University of Michigan positions.

Securing medical devices is a one of his main tasks. Massive numbers of medical devices are now employed by hospitals in complex interconnected networks. Many hospitals do not have complete inventories of their devices, and since many operate using legacy systems, flaws can easily go unaddressed. Those vulnerabilities could be targeted by cyber threat actors to inflict damage to patients or to gain a foothold in healthcare computer networks.

As Fu outlined in an interview recently with the on Michigan News, the threat landscape has changed dramatically over the past decade. He commented: “Today, there are many more adversaries that are mounting attacks. A decade ago, it was very theoretical. But now you have hundreds of hospitals literally shut down because of ransomware. And new security vulnerabilities are identified in medical device software almost every day. We need to be vigilant in making sure that all of our medical devices have a basic level of security built in. Medical devices must remain safe and effective despite cybersecurity risks.”

Medical devices must have privacy and security measures included early in the design process, rather than being focused on once the devices have been created. By that time, security flaws have been placed into the devices and they are much more difficult to remedy.

Sadly, medical device producers do not ask for input from security experts during the design of medical devices and fail to design the devices based on established computer security engineering principles.

Fu said: “You can’t simply sprinkle magic security pixie dust after designing a device. Right now, though, I’m focused on medical device safety,” explained Fu. “I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.”