Former FDA cybersecurity guru warns of ‘catastrophe’ without dedicated staff

Regulatory NewsRegulatory News | 29 June 2022 |  By 

Kevin Fu. (Source: University of Michigan)

The former top US Food and Drug Administration (FDA) cybersecurity expert says it’s only a matter of time before disaster strikes in the form of a medical device exploit that could harm patients. To get ahead of the problem, he said the agency needs to hire dedicated cybersecurity staff.
For the past year and a half, Kevin Fu, a cybersecurity professor from the University of Michigan, has been on loan to FDA as the acting director of medical device cybersecurity at the Center for Devices and Radiological Health (CDRH). During that time, he’s not only advised the agency but also learned about how the regulatory body works, and where it has shortcomings.
In a conversation with Regulatory Focus after leaving the agency, Fu warned that he fears the potential risks from cybersecurity attacks are growing and could spell disaster, especially as nation-state actors such as Russia are actively targeting the US health care system as payback for its support of Ukraine.
From his perspective, Fu says one of the things FDA is struggling with is how to keep up with the exponential growth of cybersecurity vulnerabilities considering there is no dedicated staff or budget.
“Right now, we’re pretty lucky,” he said. “If some people [at FDA] happened to be on vacation, it could be a bad day because there are no dedicated people allocated at the moment to cybersecurity.”
Fu said the agency needs a core group of staff who are dedicated to medical device cybersecurity “…otherwise in a couple of years there’s going to be a catastrophe when there’s nobody in place to manage it.”
“If there are ever two security incidents at the same time, by golly, godspeed,” he added. “I’m just impressed the agency has been able to do so much with so little so far.”
From his perspective, Fu says FDA is doing remarkably well given its resources. He notes that while the staff at the agency are experts in medical device cybersecurity and dedicated to its mission, there are no full-time staff dedicated to just cybersecurity and everyone has competing duties in other areas.
As the number of vulnerabilities has exponentially increased over the years, Fu says it’s especially critical the agency has dedicated staff with cybersecurity expertise to look out for threats in the postmarket setting.
Fu has been banging the drum on medical device cybersecurity since the 1990s to warn the industry and regulators about the risk of cybersecurity vulnerabilities. He remembers first giving a presentation on the topic to FDA in 2006 and being mostly ignored.
“There was nobody there working device security at the time,” said Fu. “There was just one person who said, ‘Hmm, that’s interesting.’ But the rest kind of shrugged.”
“That’s not the fault of the agency, it was just the sign of the times,” he added. “Most manufacturers were not aware of these risks, it was really off the radar and there was just a handful of us pointing out, ‘Watch out people, it’s coming, it’s the perfect storm.’”
But Fu persisted and over the years built good relationships with FDA leadership, who he says have asked him multiple times to work for the agency. It wasn’t until the COVID-19 pandemic when he took a sabbatical from the University of Michigan, that the opportunity arose for him to work directly for FDA. The work-from-home scenario of the pandemic allowed him to stay in Michigan with his wife and children, and still work for FDA.
Fu also noted that the past year and a half has been very productive for cybersecurity in general because there have been a lot of interesting medical device cybersecurity problems that FDA has had to address, and there’s been significant movement on the legislative front. In particular, he pointed to the Protecting and Transforming Cyber Health Care (PATCH) Act which allows FDA to require sponsors to include stronger cybersecurity measures in their products.
Part of why there’s been an increase in the number of medical device cybersecurity vulnerabilities is because researchers are finally looking for them according to Fu.
“It’s kind of like skin cancer just waiting there to metastasize,” said Fu. “So, thank goodness we’re looking now. We’re getting our checkups.”
“The other thing is that software is getting into everything, including hardware,” he added. “It’s difficult to find any device that’s not using software and now it’s difficult to find any device that doesn’t use or depend on the cloud.”
The good news, according to Fu, is that on the technical side there’s a lot of engineering expertise to address potential vulnerabilities. The hard part, however, he adds is addressing public policy issues regarding potential vulnerabilities that respect all the stakeholders involved while also being mindful of the costs.
Fu notes that there has been a cultural shift when it comes to medical device cybersecurity across the health care space but especially with manufacturers and regulators. He says while health care delivery organizations have been more open to doing something about cybersecurity vulnerabilities, it’s taken device manufacturers much longer to get over their denial.
“This is real progress, because 10 years ago this was a huge problem,” said Fu.
He notes that traditionally manufacturers didn’t want people looking behind the curtain to find potential vulnerabilities but now Fu argues 90% of the conversations are no longer whether there is a problem but what to do about the problem.
On the regulatory front, Fu is glad cybersecurity has gone global with the creation of international cybersecurity standards and organizations such as the International Medical Device Regulators Forum (IMDRF) addressing medical device cybersecurity.
Fu said he realized that over the next 10-30 years there’s going to be a severe shortage of medical device cybersecurity professionals as the need for their expertise grows. While it will mostly be felt on the engineering side, he notes there will also be significant shortages on the public policy and the non-technical side.
“There are very few professors who are trained to do training in this space of how do you do threat modeling for a medical device, what is the regulatory science to get a medical device to be deemed safe and effective from a cybersecurity perspective,” said Fu. “There’s a lot out there that is not yet part of university curricula for degree programs. I know enough about the universities to know who’s working on what and what’s missing, I know what the gaps are, I know what the national needs are, and I know what the medical manufacturers’ needs are.”
Starting this fall, Fu says he plans to visit historically black colleges and universities to encourage students to join the medical device cybersecurity academia with the aim of one day becoming leaders in the field. He says often there are students in computer science who don’t necessarily prioritize working for big tech companies and making a lot of money, but rather are motivated by helping people. He’s hoping to find those students and train them on public policy to work in the field.
Fu says there are also medical device engineers and regulators who can be upscaled to learn about cybersecurity engineering either through certification programs or master’s degrees to prepare them to become future leaders in the field. He notes that manufacturers and regulators are already struggling to find people with the minimum technical skills needed to work in medical device cybersecurity.


© 2023 Regulatory Affairs Professionals Society.

Discover more of what matters to you