Along with ever-expanding technology comes the need to protect it. Passwords, fingerprints, firewalls, and antivirus programs are just a few examples of common network security strategies. As medical devices continue evolving, the Food and Drug Administration (FDA) has recognized the pressing need to prioritize cybersecurity.
The FDA began its journey to strengthen the regulatory front in 2018 when it released its Medical Device Safety Action Plan and drafted guidance on cybersecurity for premarket submissions. Unfortunately, the COVID-19 pandemic promptly halted this progress. The Director of the Center for Devices and Radiological Health (CDRH), Jeff Shuren, stated that 2021 would be more of a reset year for both COVID-19 and unrelated progress. In attempts to move forward, the FDA has appointed Kevin Fu, an Associate Professor at the University of Michigan, as its first Director of Medical Device Security.
As the first cybersecurity chief in CDRH’s Office of Strategic Partnerships and Technology Innovation Fu’s mission is to bridge the gap between medicine and computer science and to help manufacturers protect medical devices from digital security threats. With a background in electrical engineering and computer science, and as a founder of the Archimedes Center for Medical Device Security, he is a more than qualified candidate to work on the FDA's security focused action plan.
Cyber experts acknowledge Fu’s appointment as a sign that the FDA is prioritizing cybersecurity in the coming year. The Director of Product Security at medical device engineering firm Velentium, Chris Gates, claims that Fu can help the FDA make significant progress on the regulatory front in 2021 with release of the second draft of the premarket cybersecurity guidance, and potentially a new draft of postmarket cyber guidance.
Experts believe that COVID-19 has created openings for cyber security threats, and many hospitals run on legacy systems that could enable vulnerabilities to go unnoticed. Through Fu’s appointment, the FDA looks to begin incorporating cybersecurity into medical devices during the design process instead of relying on later application.
Fu claims that his current focus is to “help build public trust in the safety and effectiveness of medical devices despite the inherit cybersecurity risks.” While he works with the FDA, he will build on CDRH’s cybersecurity programs, public-private partnerships, and premarket vulnerability assessments.