ANN ARBOR – University of Michigan computer science researcher Kevin Fu has joined the U.S. Food and Drug Administration’s Center for Devices and Radiological Health as acting director of medical device cybersecurity.
His work will contribute to ongoing efforts by the FDA to ensure the safety and effectiveness of insulin pups, pacemakers, hospital imaging machines and other electronic medical devices.
During his 12-month post, he will help manufacturers guard medical devices from cybersecurity threats and help bridge the gap between computer science and medicine.
An associate professor of electrical engineering and computer science at U-M, Fu is the founder of the Archimedes Center for Medical Device Security. Since he is an acting director at the FDA, he will retain his appointment at U-M.
The university released the following Q&A with Fu, who discussed the medical device industry and the challenges it faces.
Electronics have been part of medical devices for years now. Has something changed that calls for additional security?
Today’s medical devices rely on software and the cloud to a much greater extent than they did even a few years ago. Virtually all medical devices depend on software, which wears out much faster than mechanical components. Updating legacy medical device software is a huge challenge.
The other big game changer is that today, there are many more adversaries that are mounting attacks. A decade ago, it was very theoretical. But now you have hundreds of hospitals literally shut down because of ransomware. And new security vulnerabilities are identified in medical device software almost every day. So we need to be vigilant in making sure that all of our medical devices have a basic level of security built in. Medical devices must remain safe and effective despite cybersecurity risks.
What is the industry doing to address the threats?
There are many manufacturers working hard to design medical devices with established computer security engineering principles, but I’d say it’s more the exception than the rule. A lot of medical device manufacturers have a difficult time grappling with computer security risks.
Manufacturer C-suites need to better understand and appreciate the value of cybersecurity early in the design of medical devices. There are so many different constituencies needed in the early design stage. You have legal experts, engineers, patients, clinicians, and often, there simply isn’t a software security expert at the table. Yet today, medical devices rely on extremely complicated software systems that do not necessarily follow the fundamental principles of information security and privacy we teach at U-M.
When security experts are brought in late in the game, the design vulnerabilities are already baked into the devices. In my opinion, medical devices today need meaningful cybersecurity beginning with requirements and design. Otherwise—do not pass go, do not collect $200. You can’t simply sprinkle magic security pixie dust after designing a device.
Do you think digital security experts need to be thinking differently about how their field fits into the big picture?
They absolutely do, and a lot of the responsibility for making that happen lies with educators like me. Whether for manufacturers of the Internet of Things or medical devices, we’re not providing the necessary level of security engineering training that companies need. Today’s graduates are often very good at finding vulnerabilities, but they also need university-level, interdisciplinary training in how to engineer embedded systems to withstand an adversary.
The world needs five-year academic programs that combine biomedical engineering, software engineering and public policy to culminate with a master’s degree. We also need to teach students by example how to work effectively with experts outside the computer science field. For instance, I bring my graduate students into live surgeries so they learn how software directly affects patient care.
How can we do a better job of teaching students to work across disciplines?
One thing I’d like to implement post-COVID is a program of interdisciplinary brick-and-mortar teams that brings together students and clinicians from different fields and even different universities with Internet of Things cybersecurity represented at the table. Several universities have interesting programs to bring together engineers and physicians to innovate new medical devices.
Right now, though, I’m focused on medical device safety. I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.