Kevin Fu, PhD, a pioneer in medical device cybersecurity, joined the US Food and Drug Administration (FDA) earlier this year as expert-in-residence and acting director of medical device cybersecurity, a new 1-year position within the Center for Devices and Radiological Health (CDRH).
"He was basically the godfather of the topic," says Axel Wirth, chief security strategist at MedCrypt, a medical device cybersecurity company based in San Diego, California. In 2008, Fu was part of the team that first demonstrated it was possible to hack into an implantable cardiac defibrillator and potentially harm patients, helping start the field of medical device cybersecurity, Wirth says. It is hoped that Fu's position at the FDA will increase the ability of the agency and the medical device industry to tackle cybersecurity issues, he notes.
The position at the agency has been in the works for some time, Suzanne Schwartz, MD, MBA, director of the Office of Strategic Partnerships and Technology Innovation at the FDA's CDRH, told Medscape Medical News through a spokesperson. "It is not a reactive gesture by any means. Rather, it is a reflection of CDRH's state of growth and evolution in its medical device cybersecurity efforts," Schwartz said.
"Clinicians and healthcare leaders need to appreciate that medical devices are computers, and all computers naturally have postmarket cybersecurity risks," said Fu in an email provided by an FDA spokesperson. "That's why all manufacturers should provide healthcare delivery organizations with regular software updates to keep medical devices safe from evolving cybersecurity threats. Firewalls are not enough."
But as with most projects at the FDA, change won't be quick. "I view my year as guiding an aircraft carrier in the direction of my vision for improving medical device cybersecurity," Fu said. "It will take years of continuous effort and leadership on cybersecurity to ensure safe and effective devices as new threats and vulnerabilities inevitably arise." Fu said that at the end of his 1-year term, he plans to return to his regular duties at the University of Michigan.
Increased Connectivity, Increased Risk
As more medical devices have been equipped with Bluetooth capabilities or have become connected to physician and hospital networks during the past decade, the risk for potential attack or compromise has increased. "What was previously a niche field with little practical risk has changed into one where millions may rely on a particular security implementation," said Stuart Mendenhall, MD, a clinical cardiac electrophysiology expert at Scripps Memorial Hospital La Jolla, in San Diego, California, in an email to Medscape Medical News.
The increased connectivity of medical devices evolved in a gradual, ad hoc way. New features were added to improve the clinical experience without a view toward heading off potential security risks, says Vidya Murthy, vice president of operations at MedCrypt, a company focused on healthcare device security.
Society at large has become more reliant on technology in all aspects of life, and "cyber adversaries [have become] more sophisticated, stealthy, and more targeted," says Wirth.
Researchers such as Fu have shown it is possible to maliciously hack pacemakers and implantable cardiac defibrillator, insulin pumps, temperature sensing and control devices, and more. So far, the FDA has not received any reports of deliberate efforts to compromise medical devices in order to hurt patients, Schwartz said. However, connected medical devices have gotten caught up in larger cyber attacks, Wirth says. The 2017 WannaCry attack that affected several National Health Service hospitals in the United Kingdom took down imaging systems and infusion pump devices. Some medical devices were used as a "backdoor" into the system during the attack, according to Wirth.
Cybersecurity risks are continuing to grow. Because of the COVID-19 pandemic, use of telehealth has rapidly accelerated. With the shift to more healthcare at home, physicians, patients, manufacturers, regulators, and cybersecurity experts will have to contend with basic medical devices being hooked up to home networks that transmit information via the public network, Wirth says. New approaches, such as home dialysis, could be convenient for patients, but every device needs to be properly secured.
"The challenge in that acceleration is not to skip over cybersecurity," Wirth says.
Physicians and Cybersecurity
In addition to his FDA appointment, Fu is a cybersecurity researcher and director of the Archimedes Center for Medical Device Security at the University of Michigan, in Ann Arbor. He is a professor of computer security and healthcare and a cofounder of Virta Labs, a healthcare cybersecurity company. He has testified at multiple Senate and House hearings on medical device security.
"In his research, he's really future-gazing," says Murthy of Fu. His position as an academic and researcher could be an asset at the FDA, because he has "a different vested interest than someone from the corporate world — his perspective is rooted in what is equitable across the environment," Murthy said.
The medical device team Fu is joining at the FDA started in 2013, Schwartz said. The department's responsibilities include issuing safety communications about exploitable flaws in medical device systems and creating guidelines for manufacturers on managing device cybersecurity before and after a product goes to market. Bringing in a global leader in medical device security such as Fu at this point is a reflection of how the program is continuing to grow, according to Schwartz.
Medical device cybersecurity seemed to be pushed to the FDA's back burner last year during the pandemic, but Fu's appointment suggests it is back on the agenda, says Wirth. Consistent enforcement of cybersecurity standards by the FDA across the industry would help all manufacturers raise the quality of products, concurs Murthy. Figuring out how all the different players in the industry — manufacturers, healthcare professionals, regulators, cybersecurity experts, and others — can communicate effectively about this complex topic would be hugely beneficial, says Wirth.
In the past few years, the medical device world has begun to realize the importance of managing medical device cybersecurity throughout a device's lifecycle, said Fu. "A big part of my year concerns continuous improvement on the medical device industry side in what it means to 'design in' cybersecurity during initial product development and on the FDA side to further the education and training programs for FDA reviewers as it relates to device cybersecurity," he said.
Physicians and healthcare providers have a role to play in the cybersecurity ecosystem.
Often, the risks of cyber attack don't outweigh the benefit of using a particular medical device, says Murthy. But physicians should be aware of those potential risks. "Don't assume that if you're a physician, that it's not a topic you need to deal with; you will need to deal with it in the near future," says Wirth.
Medscape Medical News © 2021
Send news tips to firstname.lastname@example.org.
Cite this: First Cybersecurity Chief of Medical Devices Takes the Reins at FDA - Medscape - Feb 10, 2021.