The FDA’s first medtech cybersecurity chief plans to work across private and public lines to lower cyberattack threats against medical devices and the healthcare systems and patients who use them.

Medical device manufacturers can expect a new FDA cybersecurity draft guidance for new medical devices sometime this year, according to the agency’s first acting director of medical device cybersecurity.

University of Michigan computer science researcher Kevin Fu has a big assignment to tackle during his one-year tenure — to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.

An associate professor of electrical engineering and computer science, Fu is the founder of the Archimedes Center for Medical Device Security at the university and considers updating legacy medical device software a “huge challenge.” Medtech executives need to better understand that challenge, not only to safeguard their older devices but so they can appreciate the value of cybersecurity early in the design of medical devices, Fu has said.

Fu started his new job Jan. 1 at the FDA’s Center for Devices and Radiological Health (CDRH) Office of Strategic Partnerships & Technology Innovation and the new Digital Health Center of Excellence.

“Kevin Fu is a global leader in medical device security and will bring unparalleled abilities as a visionary leader, expert, educator, researcher and advocate for a safer device ecosystem that serves patients and providers,” Dr. Suzanne Schwartz, director of the CDRH’s Office of Strategic Partnerships and Technology Innovation, told the university when Fu’s appointment was announced. “His academic background and real-world experience paired with sound FDA regulatory approaches make a potent combination to further advance medical device cybersecurity along with innovation and patient safety in a holistic manner.”

Medical Design & Outsourcing wanted to know more about Fu’s plans for medtech cybersecurity in 2021. His answers were edited for length and clarity.

MDO: How and why did this appointment come about?

Fu: It’s been in the planning stages for some time. We started in 2013 with a bare-bones team who were already wearing several CDRH emergency response hats to where we currently are — standing up a program that warrants personnel with the appropriate subject matter expertise.

MDO: What do you hope to accomplish during your tenure?

Fu: My primary activities will include:

• Envisioning a strategic roadmap for the future state of medical device cybersecurity.
• Assessing opportunities to fully integrate cybersecurity principles through the lens of the center’s total product life cycle model.
• Training and mentoring CDRH staff for premarket and postmarket technical review of medical device cybersecurity.
• Engaging multiple stakeholders across the medical device and cybersecurity ecosystems.
• Fostering medtech cybersecurity collaborations across the federal government, including the National Institute of Standards and Technology, National Science Foundation, National Security Agency, Department of Health and Human Services, National Telecommunications and Information Administration, Cybersecurity and Infrastructure Security Agency, Department of Veterans Affairs, Department of Defense, Federal Trade Commission and others.

MDO: How do you hope to convince more medtech companies to bring their legacy devices up to speed with cybersecurity?

Fu: The Healthcare and Public Health Sector Coordinating Council (HSCC) Legacy Task Group is co-chaired by health delivery organization, medical device manufacturing and FDA representatives. About 50 representatives across the healthcare sector have been working together over the last year to develop recommendations, suggestions, best practices, etc. on how to bring legacy devices up to speed with cybersecurity. Many medtech industry leaders are a direct part of the conversation, which helps lead to the spread of these practices throughout the industry. The FDA leadership also promotes adoption.

Cybersecurity of legacy devices is a huge part of new, international guidance in the International Medical Device Regulators Forum (IMDRF). In other words, medtech companies will find that cybersecurity for legacy devices is required across major world markets. All regulators, customers and their competitors are looking at the issues.

Moreover, the FDA’s 2018 Medical Device Safety Action Plan emphasizes its postmarket cybersecurity powers. The FDA can and has used its authorities to issue recalls and safety communications for device cybersecurity issues.

MDO: What do you propose manufacturers do to protect new devices?

Fu: Manufacturers are expected to take several measures, including:

• Comprehensive threat modeling of the systems.
• Software bills of materials (SBOMs).
• Security risk assessments.
• Adoption of contemporary security controls such as intrusion detection for networked systems and strong encryption/authentication algorithms, protocols, and key generation that can resist both known and projected cryptanalytic attacks for storage and communication.
• Secure software and firmware updates as a normal expectation for devices rather than as an exception.

These are some of the big areas where manufacturers are expected to wield the basic concepts of protecting information in computer systems established almost 50 years ago at the Association for Computing Machinery Symposium on Operating System Principles and now used for secure medical device design in various FDA-recognized consensus standards on medical device security.

MDO: Does the FDA intend to publish new or updated cybersecurity guidance in 2021? What should that guidance say?

Fu: The CDRH team has been working diligently on a new draft version of the premarket cybersecurity guidance that addresses the public comments entered into the docket in 2019, as well as what the FDA heard at its 2019 public workshop on medical device cybersecurity.
The new draft guidance, which is on the A-list for issuance later in 2021, is a reflection of the further evolution of cybersecurity via a secure product development lifecycle. The core, foundational principles of the original 2014 final premarket guidance remain unchanged. Emphasis is on the three cornerstones of trustworthiness, transparency and resilience that were described in the 2019 FDA public workshop opening remarks.

MDO: What are the FDA’s goals for the year?

Fu: The FDA has a number of goals for device cybersecurity in 2021, including updated premarket guidance, IMDRF cybersecurity guides, and public-sector and private-sector partnership activities with groups such as the HSCC and the Medical Device Innovation Consortium (MDIC). For instance, the FDA is working closely with federal partners — HHS and CISA — on sector incident and emergency response. The FDA’s 2021 efforts for the cybersecurity focal point program will further increase the review consistency of premarket submissions.

MDO: Will a permanent head of medtech cybersecurity will be appointed after your tenure is over?

Fu: The FDA intends to fill the position with a permanent hire in the future.