FDA’s First Director of Medical Device Cybersecurity, Kevin Fu, Looks to Critical Threats

The Food and Drug Administration (FDA) has appointed Kevin Fu, Ph.D., as its acting director of medical device cybersecurity, a new position for the agency. This new FDA cybersecurity post will be housed in the agency’s Center for Devices and Radiological Health (CDRH). Fu will serve in this role for a year, during which the agency will seek out a permanent director.

Fu, an associate professor of electrical engineering and computer science at the University of Michigan (UM), is also the founder of the Archimedes Center for Medical Device Security at UM. Fu has served on AAMI standards committees and delivered a keynote address at the 2017 AAMI Conference & Expo. Earlier this year, AAMI and the Archimedes Center announced a collaboration to advance the practice of cybersecurity.

“Kevin Fu is a global leader in medical device security and will bring unparalleled abilities as a visionary leader, expert, educator, researcher, and advocate for a safer device ecosystem that serves patients and providers,” said Suzanne Schwartz, MD, MBA, Director of the Office of Strategic Partnerships and Technology Innovation at CDRH, in a statement. “His academic background and real-world experience paired with sound FDA regulatory approaches make a potent combination to further advance medical device cybersecurity along with innovation and patient safety in a holistic manner.”

Kevin Fu looks over a table strewn electronics. 

Photo credit: Joseph Xu/Michigan Engineering.

The key aim of the position, says Fu, is to help manufacturers protect medical devices from digital security threats. We caught up with Fu below.

What are your goals at the FDA?

Fu: I’m really looking forward to helping build public trust in the safety and effectiveness of medical devices, despite the inherent cybersecurity risks. The primary activities will include:

  • Envisioning a strategic roadmap for the future state of medical device cybersecurity
  • Assessing opportunities for fully integrating cybersecurity principles through the lens of the Center’s Total Product Life Cycle model
  • Training and mentoring CDRH staff for premarket and postmarket technical review of medical device cybersecurity
  • Multistakeholder engagement across the diverse medical device and cybersecurity ecosystems
  • Fostering medical device cybersecurity collaborations across the federal government

Fortunately, there are a number of cybersecurity leaders at FDA; public engagement is a team effort. I expect to be quite visible on behalf of FDA in explaining medical device cybersecurity at public events. There are a number of key conferences that span medical device design, traditional cybersecurity, patient engagement, and more. It’s going to be a busy year.

What expertise do you bring to this new position?

Fu: I have a strong track record of helping different constituencies in the medical device manufacturing community work together to mitigate computer security problems. In my Security and Privacy Research Group Lab, we work alongside clinicians, biomedical engineers, and IT professionals in hospitals. We find novel security flaws and we innovate creative technical defenses. I have served on federal advisory committees and advise government scientists and policymakers. I have created programs for diversity, equity, and inclusion. I intend to leverage these experiences in my new role at FDA.

Why is security a critical issue for medical devices now?  

Fu: Today’s medical devices rely on software and the cloud to a much greater extent than they did even a few years ago. You have had hundreds of hospitals literally shut down because of ransomware. And new security vulnerabilities are identified in medical device software almost every day. So, we need to be vigilant in making sure that all of our medical devices have a basic level of security built in and still remain safe and effective.

How challenging is creating improved cybersecurity for medical devices?

Fu: There are so many different constituencies needed in the early design stage: legal experts, engineers, patients, clinicians, and often, there simply isn’t a software security expert at the table. When security experts are brought in late in the game, the design vulnerabilities are already baked into the devices. You can’t simply sprinkle magic security pixie dust after designing a device.

Portions of this interview are used with permission from the University of Michigan and the FDA.