This audio is generated automatically. Please let us know if you have any comments.
Long before joining the Food and Drug Administration, Kevin Fu had alerted officials to the need for better safety in medical devices. Fu most recently served as the first acting director of medical device cybersecurity at the FDA, where he helped develop draft guidelines outlining how manufacturers should address security in premarket submissions and how they must maintain these devices throughout the life of a product.
After leaving the agency in May, Fu has returned to the University of Michigan as an assistant professor of electrical engineering and computer science. His goal now is to help universities integrate security into their biomedical engineering programs and build the cybersecurity workforce that medical device companies and regulators will need in the future.
From his perspective as a professor, he spoke about staffing needs, evolving cybersecurity threats, and how medical device companies can prepare.
This interview has been edited for length and clarity.
MEDTECH DIVE: What is your overall vision of cybersecurity?
KEVIN FU: How can we use good engineering and regulatory science to build safety into medical devices rather than building safety after the fact? The reason is safety and efficiency. It is almost impossible to have a safe and efficient device without proper cybersecurity in our times.
In your previous role, did medical device companies consider cybersecurity in their submissions?
It’s like the classroom, you have your A students, then you have your C and D students. I don’t think there’s a single generalization that’s true. I think you will find leaders, and you will find followers and you will still find deniers, but this group is shrinking day by day.
Part of that is the realization that this is not a guess. This is no longer a theoretical problem. Twenty years ago, when some of us, including me, were working on this, it was very theoretical, and we were a bit ahead of our time.
Today you see internal health systems taken offline due to cybersecurity concerns, with radiation therapy devices unavailable for weeks due to cybersecurity threats.
I’ve seen some kind of head-banging statements as well as, wow, that’s a really brilliant approach that mitigates the risk. And the difference is you can feel when the manufacturer has spent quality time on their security engineering requirements and design threat modeling.
For companies that are currently struggling, my message is that there is hope to improve, but you have to choose to improve.
How many people have knowledge of both cybersecurity and medical devices?
There are IT medical device security experts and then there are OTs [Operational Technology] medical device cybersecurity experts. Educational systems are quite well designed to produce computer security experts. On the OT side of the house, I think it needs a significant national investment in terms of getting new educational programs in place to help not just manufacturers but also regulators and healthcare delivery organizations to have access to this specially trained talent.
I would say that’s sort of the difference between a motorist and a car designer. We currently have a deficit, in my opinion, of security designers, and it takes a lot more time and investment on the part of the student to acquire these skills. Because of this, you see manufacturers as well as regulators going through in-house training, where they take someone who is a security expert or an expert in medical device design, and then teach them about security engineering.
Does the FDA have sufficient budget and staff for adequate cybersecurity review?
At the end of the day, budgets matter, because that translates into people, which translates into speed, how quickly the agency can respond.
So in pre-market it’s extremely important to have the staff available to interact with things like the Q-Sub [pre-submissions] and 510(k) notices. And then there’s the post-market side where there’s an incident, and you need internal experts who know the risk management of a security incident to coordinate with the huge number of stakeholders.
The FDA is lucky to have great people on the cybersecurity team. However, for the most part, all cybersecurity experts are divisive. They all have other really important tasks. There are very few people who fully dedicate their allotted time to cybersecurity. So I think it’s really important to fund FDA OT cybersecurity activities, because if there are two simultaneous cybersecurity incidents in the future, and there’s no budget for staff cybersecurity already in place, this will create real challenges .
We have seen many ransomware attacks against hospitals over the past few years. Do you see attacks specifically targeting medical devices?
If you are a ransomware organized crime unit, what do you do? You go where the money is. And there are known weaknesses in the IT systems, so it’s unfortunately very ripe for the picking. That’s not to say there isn’t someone looking after a particular medical device, but I haven’t seen that.
We don’t know what the future holds. We must therefore have secure and agile systems, even if the threats change, because they change. Ten years ago, we weren’t talking about ransomware. We were talking about a banal malware that gets into a computer virus.
If we manufacture, design, and market a medical device today, some of those devices will be in active use for 10 or 20 years, so they need to be agile enough to adapt to the changing threat landscape.
You talked about designing device security starting with a threat model. How it works?
Let me start by defining it by what it is not. It’s not just about buying a security product. It’s about stating your assumptions about the threats, so that when you later try to demonstrate that your medical device is safe and effective and has appropriate cybersecurity, you can tie it to something consistent and repeatable.
If a company says something like, “Well, we’ve never been attacked, so we don’t have to worry about security,” and they put that in the threat models section of their 510( k) or [Premarket Approval application], it would probably be a desktop rejection. It’s not a threat model – it’s just a belief.
I’ve also seen examples of threat models for network-connected medical devices, which are very common, and you might see a comment like “We’re asking the hospital to put this medical device on a secure hospital network” . At first glance, you might think that sounds reasonable. But if you dig, it actually doesn’t make sense. There is no secure hospital network. This is the problem.
In my opinion, a threat model will always start with [the assumption] that the adversary can control the network. They can drop internet packets, they can modify your internet packets, they can replay your internet packets, they can see all your traffic. And so I always advise to design your system in such a way that it can be safe and efficient, even if the adversary is plugged into your network.
There have been accusations in the past between hospitals and manufacturers over responsibility for device safety. Does it change?
Safety is a shared responsibility. No party is 100% released from liability. However, ultimately the entity that will design the security system is the manufacturer.
And the draft guidelines are pretty clear, it expects that devices can be patched and updated. I would say the current controversy is making sure devices are patchable.
Now, it is also true that there are many types of healthcare systems. Some systems will not even have an IT department. It can therefore be very difficult for a manufacturer to work with this diversity of capacities.
At the end of the day, the patches need to be applied, but it’s a tough space still being worked on right now. For example, if a manufacturer provides a patch, who is responsible for ensuring that it is installed?
You know, if I have a water leak and the plumber says, “I have to run this pipe,” you don’t just leave the pipe in front of the door and say, “Okay, have a nice day.” There must be some cooperation.
The House passed a cybersecurity law, which requires the FDA to review the cybersecurity of medical devices. What is your opinion on the bill?
In my opinion, the PATCH Act is extremely important for improving medical device cybersecurity, and it is so rare for me to find legislation that I believe is written in a way that is technology-agnostic, nimble, and helpful. . I do hope that the bill sees the light of day.