Long before joining the Food and Drug Administration, Kevin Fu had been alerting officials to the need for better medical device security. Fu recently served as the FDA’s first acting director of medical device cybersecurity, where he helped build draft guidance that outlines how manufacturers should address security in pre-market submissions, and how they should maintain those devices throughout a product’s lifetime.
After leaving the agency in May, Fu is back at the University of Michigan as an associate professor of electrical engineering and computer science. His focus now is on helping universities incorporate security into their biomedical engineering programs, and building the cybersecurity workforce that medical device companies and regulators will need in the future.
From his perspective as a professor, he talked about staffing needs, changing cybersecurity threats and how medical device companies can prepare.
This interview has been edited for length and clarity.
MEDTECH DIVE: What’s your overall vision for cybersecurity?
KEVIN FU: How can we make use of good engineering and regulatory science to build security into medical devices rather than bolting on security after the fact? The reason for that is safety and effectiveness. It’s nearly impossible to have a safe and effective device without appropriate cybersecurity in this day and age.
In your previous role, did medical device companies take cybersecurity into account in their submissions?
It’s like the classroom, you’ve got your A students and then you’ve got your C and D students. I don’t think there is any one generalization that’s true. I think you’ll find some leaders, and you’ll find some followers and you’ll still find some deniers, but that group is getting smaller by the day.
Part of that is the realization that this is not a hypothetical. This is not a theoretical problem anymore. Twenty years ago, when a few of us, including myself, were working on this, it was very theoretical, and we were a bit ahead of our time.
Today, you’re seeing internal health systems knocked offline because of cybersecurity issues, radiation therapy devices not being available for weeks because of cybersecurity threats.
I’ve seen some sort of smack-my-head statements as well as, wow, this is a really brilliant approach that mitigates the risk. And the difference is, you can sense when the manufacturer has put in some quality time into their security engineering requirements and design threat modeling.
For the companies that are struggling right now, my message to them is there’s hope to improve, but you have to choose to improve.
How many people out there have some knowledge of both cybersecurity and medical devices?
There are the IT medical device security experts and then there are the OT [Operational Technology] medical device cybersecurity experts. The education systems out there are fairly well designed for producing IT security experts. On the OT side of the house, I think it needs some severe national investment in terms of standing up new educational programs to help not just manufacturers, but also regulators and healthcare delivery organizations to get access to this specially-trained talent.
I would say it’s sort of the difference between a car driver and a car designer. We presently have a deficit of, in my view, security designers, and it takes a lot more time and investment on the part of the student to learn these skills. For that reason, you’re seeing manufacturers as well as regulators doing in-house training, where they’re taking somebody who’s an expert in safety or an expert in medical device design, and then teaching them security engineering.
Does the FDA have enough budget and staff for adequate cybersecurity review?
At the end of the day, budgets matter, because that translates into headcount, that translates into speed, how quickly the agency can respond.
So in pre-market it’s critically important to have the staff available to interact with things like the Q-Sub [pre-submissions] and the 510(k) reviews. And then there’s the post-market side where there’s an incident, and you need to have experts on the inside who are knowledgeable about managing the risk of a security incident to coordinate with the extremely large number of stakeholders.
The FDA, they’re pretty fortunate to have some amazing people on the cybersecurity team. However, for the most part, all of the experts on cybersecurity are fractional. They all have other really important duties. There are very few people who are just completely dedicated in terms of their allowable time for cybersecurity. So I do think it’s really important to fund the OT cybersecurity activities of the FDA, because if there are two simultaneous cybersecurity incidents in the future, and there’s not the budget there for the cybersecurity staff already in place, that’s going to create some real challenges.
We’ve seen a lot of ransomware attacks on hospitals in the last few years. Are you seeing any attacks specifically targeting medical devices?
If you’re a ransomware organized crime unit, what do you do? You go where the money is. And there are known weaknesses in IT systems, so it’s sadly very ripe for the picking. That doesn’t mean that there isn’t someone going after a specific medical device, but I haven’t seen that.
We don’t know what the future holds. So we need to have our systems be secure and nimble, even if the threats change, because they do change. Ten years ago, we weren’t talking about ransomware. We were talking about run-of-the-mill malware breaking in a computer virus.
If we make, design and market a medical device today, some of these devices will be in active use for 10 or 20 years, so they have to be nimble enough to adapt to the changing threat landscape.
You’ve talked about device security design starting with a threat model. How does that work?
Let me begin by defining it by what it is not. It’s not just buying a security product. It’s about stating your assumptions about what are the threats, such that when you later try to demonstrate that your medical device is safe and effective and has appropriate cybersecurity, you can link it up to something coherent and reproducible.
If a company says something like, “Well, we’ve never been attacked, so we don’t need to worry about security,” and they put that into the threat models section of their 510(k) or [Premarket Approval application], that would likely be a desk reject. That’s not a threat model — that’s just belief.
I’ve also seen examples of threat models for network-connected medical devices, which are very common, and you might see a comment such as, “We require the hospital to put this medical device on a secure hospital network.” At first glance, you might think this sounds reasonable. But if you drill down it actually does not make sense. There’s no such thing as a secure hospital network. That’s the problem.
In my opinion, a threat model is always going to begin with [the assumption] that the adversary can control the network. They can drop internet packets, they can modify your internet packets, they can replay your internet packets, they can see all your traffic. And so I always advise designing your system such that it can be safe and effective, even if the adversary is plugged into your network.
There’s been some finger-pointing in the past between hospitals and manufacturers on whose responsibility it is to keep a device secure. Is that changing?
Security is a shared responsibility. No one party is 100% absolved of responsibility. However, at the end of the day, the entity that’s going to be designing the security system is the manufacturer.
And the draft guidance is quite clear, it expects devices to be patchable and updatable. I would say the contention right now is making sure that devices are patchable.
Now, it’s also true that there are many different kinds of health systems. There will be some systems that don’t even have an IT department. And so it can be very challenging for a manufacturer to work with this diversity of capabilities.
At the end of the day, the patches do need to be applied, but that is a challenging space still being worked out right now. For instance, if a manufacturer provides a patch, who is responsible for making sure it gets installed?
You know, if I have a water leak, and the plumber says, “I’ve got to install this pipe,” you don’t just leave the pipe outside the door and say, “okay, have a nice day.” There’s got to be some cooperation.
The House passed a piece of cybersecurity legislation, which requires the FDA to review cybersecurity for medical devices. What’s your take on the PATCH Act?
In my opinion, the PATCH Act is extremely important to improving the cybersecurity of medical devices, and it’s so rare for me to find legislation that I think is written in a way to be technology agnostic, nimble, and helpful. I certainly hope that the legislation sees the light of day.