This audio is auto-generated. Please let us know if you have feedback.

Long before joining the Food and Drug Administration, Kevin Fu had been alerting officials to the need for better medical device security. Fu recently served as the FDA’s first acting director of medical device cybersecurity, where he helped build draft guidance that outlines how manufacturers should address security in pre-market submissions, and how they should maintain those devices throughout a product’s lifetime. 

After leaving the agency in May, Fu is back at the University of Michigan as an associate professor of electrical engineering and computer science. His focus now is on helping universities incorporate security into their biomedical engineering programs, and building the cybersecurity workforce that medical device companies and regulators will need in the future. 

From his perspective as a professor, he talked about staffing needs, changing cybersecurity threats and how medical device companies can prepare. 

This interview has been edited for length and clarity. 

MEDTECH DIVE: What’s your overall vision for cybersecurity? 

KEVIN FU: How can we make use of good engineering and regulatory science to build security into medical devices rather than bolting on security after the fact? The reason for that is safety and effectiveness. It’s nearly impossible to have a safe and effective device without appropriate cybersecurity in this day and age.

In your previous role, did medical device companies take cybersecurity into account in their submissions? 

It’s like the classroom, you’ve got your A students and then you’ve got your C and D students. I don’t think there is any one generalization that’s true. I think you’ll find some leaders, and you’ll find some followers and you’ll still find some deniers, but that group is getting smaller by the day. 

Part of that is the realization that this is not a hypothetical. This is not a theoretical problem anymore. Twenty years ago, when a few of us, including myself, were working on this, it was very theoretical, and we were a bit ahead of our time. 

Today, you’re seeing internal health systems knocked offline because of cybersecurity issues, radiation therapy devices not being available for weeks because of cybersecurity threats. 

I’ve seen some sort of smack-my-head statements as well as, wow, this is a really brilliant approach that mitigates the risk. And the difference is, you can sense when the manufacturer has put in some quality time into their security engineering requirements and design threat modeling.

For the companies that are struggling right now, my message to them is there’s hope to improve, but you have to choose to improve.

How many people out there have some knowledge of both cybersecurity and medical devices? 

There are the IT medical device security experts and then there are the OT [Operational Technology] medical device cybersecurity experts. The education systems out there are fairly well designed for producing IT security experts. On the OT side of the house, I think it needs some severe national investment in terms of standing up new educational programs to help not just manufacturers, but also regulators and healthcare delivery organizations to get access to this specially-trained talent.

I would say it’s sort of the difference between a car driver and a car designer. We presently have a deficit of, in my view, security designers, and it takes a lot more time and investment on the part of the student to learn these skills. For that reason, you’re seeing manufacturers as well as regulators doing in-house training, where they’re taking somebody who’s an expert in safety or an expert in medical device design, and then teaching them security engineering. 

Does the FDA have enough budget and staff for adequate cybersecurity review?

At the end of the day, budgets matter, because that translates into headcount, that translates into speed, how quickly the agency can respond.

So in pre-market it’s critically important to have the staff available to interact with things like the Q-Sub [pre-submissions] and the 510(k) reviews. And then there’s the post-market side where there’s an incident, and you need to have experts on the inside who are knowledgeable about managing the risk of a security incident to coordinate with the extremely large number of stakeholders. 

The FDA, they’re pretty fortunate to have some amazing people on the cybersecurity team. However, for the most part, all of the experts on cybersecurity are fractional. They all have other really important duties. There are very few people who are just completely dedicated in terms of their allowable time for cybersecurity. So I do think it’s really important to fund the OT cybersecurity activities of the FDA, because if there are two simultaneous cybersecurity incidents in the future, and there’s not the budget there for the cybersecurity staff already in place, that’s going to create some real challenges.

Leave a Reply

Your email address will not be published. Required fields are marked *