FDA Appoints Acting Director of Medical Device Security, Signaling Increased Commitment to Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) announced that the newly-created post of Acting Director of Medical Device Security has been filled by Kevin Fu, a University of Michigan associate professor and founder of the Archimedes Center for Medical Device Security.  Fu, who was appointed for a one-year term, is expected to “work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.”¹ The creation of the position reflects the FDA’s ongoing efforts to ensure the safety and effectiveness of Internet of Things and medical devices such as insulin pumps, pacemakers, and hospital imaging machines.  These devices, which increasingly rely on software and the cloud to operate, are particularly vulnerable to threat actors targeting hospitals and other medical providers with ransomware and other attacks.  Such attacks have been on the rise, particularly given the shift to telehealth and remote operation of medical devices in the wake of COVID-19.

Medical device manufacturers can anticipate updated draft guidance on best practices in 2021.  The FDA released previous guidance in October 2018.² Fu has also outlined his anticipated primary activities as the Acting Director of Medical Device Security during 2021:

• Envisioning a strategic roadmap for the future state of medical device cybersecurity;
• Assessing opportunities to fully integrate cybersecurity principles through the lens of the center’s total product life cycle model;
• Training and mentoring the FDA’s Center for Devices and Radiological Health staff for premarket and postmarket technical review of medical device cybersecurity;
• Engaging multiple stakeholders across the medical device and cybersecurity ecosystems; and
• Fostering medtech cybersecurity collaborations across the federal government, including the National Institute of Standards and Technology, National Science Foundation, National Security Agency, Department of Health and Human Services, National Telecommunications and Information Administration, Cybersecurity and Infrastructure Security Agency, Department of Veterans Affairs, Department of Defense, Federal Trade Commission and others.³

Fu has separately urged that entities should involve security experts from the beginning of the design process for a new device and has encouraged companies to bring legacy medtech devices up to speed with the latest cybersecurity protections, explaining that “whether for manufacturers of the Internet of Things or medical devices, we’re not providing the necessary level of security engineering training that companies need.”  Fu noted that the FDA will be working closely with the U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) on sector incident and emergency response.

¹https://news.umich.edu/u-m-professor-appointed-to-fda-medical-device-security-post.

² https://www.fda.gov/regulatory-information/search-fda-guidance-documents/content-premarket-submissions-management-cybersecurity-medical-devices.

³ https://www.natlawreview.com/article/fda-names-first-acting-director-medical-device-cybersecurity.