In December 2020, we reported a data leak that potentially exposed 45 million unique medical images due to unprotected servers. It exposed the increasing vulnerability of the health care industry towards the ever-rising cyberthreats. However, the U.S. Food and Drug Administration (FDA) has always been proactive in warning the health care sector about the potential threats in the past. Keeping up with their relentless pursuit of providing the best security standards to medical device manufacturers and owners alike, the FDA has now appointed Kevin Fu as the first acting director of medical device cybersecurity at its Center for Devices and Radiological Health.
More About the First Director
Kevin Fu has been an associate professor of electrical engineering and computer science at the University of Michigan since 2013. He also wears a badge of honor for being the Dwight E. Harken Memorial Lecturer and the founder of the Archimedes Center for Medical Device Security in his career, which spans over more than 20 years.
Fu has always been an advocate of bridging the gap between medicine and computer technology. He believes that the marriage of these two fields is inadvertent in today’s digital world. Looking at his resume and expertise in the associated field of medical device security, it is obvious why he is the most suitable candidate for the job. However, there was one more thing that could have added as brownie points in his selection – his stint as the Federal Advisory Board Member who advised the National Institute of Standards and Technology (NIST).
Fu worked for four years (from 2011 – 2015) with NIST and advised them, the Secretary of Commerce, and the Director of the Office of Management and Budget, on information security and privacy issues about the federal government’s information systems. His responsibilities included a thorough review of proposed standards and guidelines developed by NIST and annually addressing the congress about his findings.
Naturally, his experience of how government policies and agencies work, made him a perfect fit for the position.
Fu’s Immediate Plan of Action
In comparison to a decade ago, today’s medical devices are heavily dependent on computer software. However, Fu states that changing legacy device software is a huge task. And this is what the threat actors seem to be exploiting, as was evident in the recent spate of ransomware attacks on hundreds of hospitals. Thus, keeping the medical devices safe despite the growing cybersecurity risks is Fu’s top priority.
Fu, in an interview for his University’s publication, discussed the importance of building cybersecurity into the design of medical devices itself. He finds it amusing that legal experts, engineers, patients, and clinicians, are all considered as stakeholders, but “there simply is no software security expert at the table.”
Fu also highlighted the importance of imparting security training to manufacturers of both IoT and medical devices. He said, “We are not providing the necessary level of security engineering training that companies need. Right now, though, I’m focused on medical device safety. I’m really looking forward to working at the FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.”
During his 12-month long appointment as the director, Fu shall retain his other positions and appointments, including his work at the University of Michigan.