Kevin Fu (Image courtesy of the University of Michigan)
University of Michigan computer science researcher Kevin Fu has been named acting director of medical device cybersecurity at the FDA.
Fu began working in the newly created 12-month post on Jan. 1, 2021, according to the university. His assignment is to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.
An associate professor of electrical engineering and computer science, Fu is the founder of the Archimedes Center for Medical Device Security. As an acting director, he’ll retain his university appointment.
Fu told the university that updating legacy medical device software is a “huge challenge” and that medtech manufacturing executives need to better understand and appreciate the value of cybersecurity early in the design of medical devices.
“There are so many different constituencies needed in the early design stage,” Fu said. “You have legal experts, engineers, patients, clinicians, and often, there simply isn’t a software security expert at the table. Yet today, medical devices rely on extremely complicated software systems that do not necessarily follow the fundamental principles of information security and privacy we teach at U-M.”
Given the number of cyberattacks on healthcare systems and security vulnerabilities identified in medical devices, “we need to be vigilant in making sure that all of our medical devices have a basic level of security built in,” he added. “Medical devices must remain safe and effective despite cybersecurity risks.”
Many manufacturers are working hard to design medical devices with established computer security engineering principles, but they are the exception, Fu said.
“In my opinion, medical devices today need meaningful cybersecurity beginning with requirements and design. Otherwise, do not pass go, do not collect $200. You can’t simply sprinkle magic security pixie dust after designing a device.”
Fu also recommended that universities establish five-year academic programs that combine biomedical engineering, software engineering and public policy, and teach students by example how to work effectively with experts outside the computer science field.
“Right now, though, I’m focused on medical device safety,” he concluded. “I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.”
