Associate professor appointed to FDA cybersecurity position


There’s a good chance that your life will at some point depend on a piece of computer software. Lines of code drive pacemakers, insulin pumps, hospital imaging machines and just about every other electronic medical device that’s manufactured today.

But where there’s software, there are hackers. And a steady stream of hospital ransomware attacks and other malicious activities have shown that medical devices are not immune to attack. U-M computer science researcher Kevin Fu is joining the U.S. Food and Drug Administration in its ongoing effort to ensure the safety and effectiveness of medical devices.

Photo of Kevin Fu
Kevin Fu

Fu has been named acting director of medical device cybersecurity in the FDA’s Center for Devices and Radiological Health. In the newly created 12-month post that began Jan. 1, he’ll work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.

Fu, associate professor of electrical engineering and computer science and the Dwight E. Harken Memorial Lecturer, is the founder of the Archimedes Center for Medical Device Security. He has long been both a leading researcher and an outspoken advocate for medical device security. As an acting director, he’ll retain his U-M appointment.

Electronics have been part of medical devices for years now. Has something changed that calls for additional security today?

Today’s medical devices rely on software and the cloud to a much greater extent than they did even a few years ago. Virtually all medical devices depend on software, which wears out much faster than mechanical components. Updating legacy medical device software is a huge challenge.

The other big game changer is that today, there are many more adversaries that are mounting attacks. A decade ago, it was very theoretical. But now you have hundreds of hospitals literally shut down because of ransomware. And new security vulnerabilities are identified in medical device software almost every day.

So we need to be vigilant in making sure that all of our medical devices have a basic level of security built in. Medical devices must remain safe and effective despite cybersecurity risks.

What is the industry doing to address the threats?

There are many manufacturers working hard to design medical devices with established computer security engineering principles, but I’d say it’s more the exception than the rule. A lot of medical device manufacturers have a difficult time grappling with computer security risks.

Manufacturer C-suites need to better understand and appreciate the value of cybersecurity early in the design of medical devices. There are so many different constituencies needed in the early design stage. You have legal experts, engineers, patients, clinicians, and often, there simply isn’t a software security expert at the table. Yet today, medical devices rely on extremely complicated software systems that do not necessarily follow the fundamental principles of information security and privacy we teach at U-M.

When security experts are brought in late in the game, the design vulnerabilities are already baked into the devices. In my opinion, medical devices today need meaningful cybersecurity beginning with requirements and design. Otherwise — do not pass go, do not collect $200. You can’t simply sprinkle magic security pixie dust after designing a device.

Do you think digital security experts need to be thinking differently about how their field fits into the big picture?

They absolutely do, and a lot of the responsibility for making that happen lies with educators like me. Whether for manufacturers of the internet of things, or medical devices, we’re not providing the necessary level of security engineering training that companies need. Today’s graduates are often very good at finding vulnerabilities, but they also need university-level, interdisciplinary training in how to engineer embedded systems to withstand an adversary.

The world needs five-year academic programs that combine biomedical engineering, software engineering and public policy to culminate with a master’s degree. Within software engineering, students must master advanced topics such as principles of protecting computer systems. Academic programs to produce future experts must be rigorous and world-class, and the foundation must be more than a part-time certificate program.

We also need to teach students by example how to work effectively with experts outside the computer science field. For instance, I bring my graduate students into live surgeries so they learn how software directly affects patient care.

How can we do a better job of teaching students to work across disciplines?

One thing I’d like to implement post-COVID is a program of interdisciplinary brick-and-mortar teams that brings together students and clinicians from different fields and even different universities with internet of things cybersecurity represented at the table. Several universities have interesting programs to bring together engineers and physicians to innovate new medical devices.

Right now, though, I’m focused on medical device safety. I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.


Leave a comment

Commenting is closed for this article. Please read our comment guidelines for more information.